Windows Secure Boot evaded by BlackLotus malware

All Windows 11 devices with Secure Boot enabled could be bypassed by the BlackLotus UEFI bootkit, making it the first malware to achieve such a feat, reports The Register. Such evasion of Secure Boot protections is enabled by BlackLotus' exploitation of CVE-2022-21894, which has been addressed by Microsoft in January 2022, and will also allow the deactivation of other security systems, including Windows Defender, Hypervisor-protected Code Integrity, and BitLocker, to facilitate User Account Control evasion, according to an ESET report. BlackLotus then proceeds to distribute a kernel driver that would prevent the removal of bootkit files, as well as an HTTP downloader, which would facilitate payload execution following contact with the command-and-control server, the report showed. "It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled," said ESET malware analyst Martin Smolr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.