All Windows 11 devices with Secure Boot enabled could be bypassed by the BlackLotus UEFI bootkit, making it the first malware to achieve such a feat, reports The Register.
Such evasion of Secure Boot protections is enabled by BlackLotus' exploitation of CVE-2022-21894, which has been addressed by Microsoft in January 2022, and will also allow the deactivation of other security systems, including Windows Defender, Hypervisor-protected Code Integrity, and BitLocker, to facilitate User Account Control evasion, according to an ESET report. BlackLotus then proceeds to distribute a kernel driver that would prevent the removal of bootkit files, as well as an HTTP downloader, which would facilitate payload execution following contact with the command-and-control server, the report showed.
"It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled," said ESET malware analyst Martin Smolr.