BlackLotus, New UEFI Rootkit Which Makes Researchers Worry


“BlackLotus” is offered on underground forums as an omnipotent firmware rootkit capable of surviving any removal attempts and bypassing the most advanced Windows protection tools. Of course, if real malware samples can prove that the offer is real.

It is reported that a new powerful UEFI Rootkit is for sale on underground forums, offering advanced attack functions that were previously available only to special services and state-supported threat groups. BlackLotus, as the unknown seller called the malware, is a firmware rootkit that can bypass Windows protection and run malicious code at the lowest level of the x86 architecture protection rings.

According to security researchers who noticed BlackLotus ads on crime—fighting forums, one user license for a rootkit costs up to $5,000, and the subsequent code rebuild costs “only” $200. Given the opportunities listed by the seller, even $5,000 can be a real deal for cybercriminals and hackers around the world.

As security researcher Scott Scheferman summarized, BlackLotus is written in assembler and C and weighs 80 kilobytes (about 81,920 bytes in total), while it does not depend on the vendor. The rootkit has the functions of protection against virtual machines, protection against debugging and code obfuscation to block or hinder analysis attempts, provides “agent protection” at the kernel level (ring 0) for saving in the UEFI firmware and comes with a full-featured installation guide. and frequently asked questions.

Like any other proper rootkit, BlackLotus is loaded at the very first stages of the boot process before the Windows startup phase. It is claimed that malware can bypass many Windows protections, including Secure Boot, UAC, BitLocker, HVCI and Windows Defender, while offering the ability to download unsigned drivers. Other advanced malware features include a full-featured file transfer mode and a “vulnerable signed loader” that cannot be revoked without affecting the hundreds of loaders that are still in use today.

Scott Scheferman highlights the danger that BlackLotus can pose to a modern security system based on embedded software, making a threat level previously available only to advanced Persistent Threats (APT) of state-sponsored groups such as the Russian GRU or China’s own APT 41 accessible to everyone. The new UEFI rootkit can be a real breakthrough for cybercriminals in terms of ease of use, scalability, accessibility, durability, evasion and destruction capabilities.

UEFI rootkits were once considered very rare and specialized threats, but many discoveries made over the past few years have shown a completely different scenario. As for BlackLotus, the security community will need to analyze the actual malware sample to determine if the advertised features are real, if it is ready for production, or if it is just an elaborate scam.


Please enter your comment!
Please enter your name here