[MART] - Daily Diary #615 - Black Lotus, A New UEFI Rootkit For Sale

ctas-mat at appgate.com ctas-mat at appgate.com
Mon Oct 17 22:33:56 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

10/17/2022 - Diary entry #615:

A new vendor-independent Microsoft Windows UEFI rootkit named Black Lotus was recently discovered being advertised on underground criminal forums for $5,000 and $200 per new version.

This new UEFI rootkit can execute malicious code before the booting process completes, bypassing secure boot and user access control (UAC), and disabling security features such as BitLocker and Windows Defender. Then, it is able to load unsigned drivers and achieve persistence at the UEFI level with Ring 0 on the infected device.

Black Lotus is a very lightweight payload (80kb) written in C and assembly with anti-VM, anti-debugging, and geolocation filtering capabilities – to avoid infecting countries in the CIS (Commonwealth of Independent States) region. It provides fully featured tasking and file transfer, as well as several capabilities to operate undetected.

Considering Black Lotus' capabilities, it is worrying that a UEFI rootkit is available on underground forums, allowing threat actors to operate stealthily on a low level.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20221017/02c87152/attachment.htm>

More information about the MART mailing list