The BlackLotus UEFI bootkit, a malware that targets Windows systems and can bypass Secure Boot on fully patched Windows 11 installations, has had its source code leaked online. The bootkit is capable of evading security software, maintaining persistence on infected systems, and executing payloads with the highest level of privileges. It can also compromise the BitLocker data protection feature, Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity (HVCI), which protects against attempts to exploit the Windows Kernel.
Windows Secure Boot, a security feature that prevents untrusted bootloaders from loading during startup, was initially bypassed by BlackLotus by exploiting the 'Baton Drop' vulnerability (CVE-2022-21894), which was patched by Microsoft in January 2022. However, bypasses for the security update were discovered, allowing the bootkit to continue functioning and causing Microsoft to revoke additional Windows Boot Managers. This led to another security update for CVE-2023-24932 that revoked further malicious boot managers.
Microsoft has disabled the security update for CVE-2023-24932 by default, requiring a complex manual installation process for users to patch their systems. Microsoft warned that incorrect installation of the security fix could render systems unbootable or unrecoverable from Windows installation media. As a result, many users chose not to install the update, leaving their devices vulnerable to Secure Boot bypass attacks.
The BlackLotus malware, originally sold on hacker forums for as low as $5,000, allowed threat actors of varying skill levels to access malware typically associated with state-sponsored hacking groups. However, the source code was kept private, with the threat actor offering rebuilds for $200 to customers who wanted to customize the bootkit. The source code has now been leaked on GitHub by a user named 'Yukari,' making the tool widely accessible.
Yukari claims that the source code has been modified to remove the Baton Drop vulnerability and now uses the bootlicker UEFI rootkit, which is based on the CosmicStrand, MoonBounce, and ESPECTRE UEFI APT rootkits. Alex Matrosov, co-founder and CEO of Binarly, stated that the leaked source code is incomplete and primarily contains the rootkit and bootkit code used to bypass Secure Boot. Matrosov also noted that while the bootkit's techniques are not new, the source code leak makes it easy for threat actors to combine the bootkit with new bootloader vulnerabilities.
Despite Microsoft addressing the Secure Boot bypasses in CVE-2022-21894 and CVE-2023-24932, the security update is optional and the fixes are disabled by default. To protect against the BlackLotus UEFI bootkit threat, users are advised to follow the comprehensive mitigation advice published by the NSA. With the bootkit's source code now widely available, it is possible that skilled malware authors might create more potent variants that can bypass existing and future countermeasures. Matrosov warned that this particular attack vector offers significant advantages for attackers and is likely to become more sophisticated and complex.