Microsoft has provided guidance to help organizations identify if their machines have been targeted or compromised by the BlackLotus UEFI bootkit, which exploits the CVE-2022-21894 vulnerability. The company's advice can also be used by organizations and individuals to recover from an attack and prevent threat actors using BlackLotus from achieving persistence and evading detection. BlackLotus has been available on hacking forums since last year, advertised as a malware that evades antivirus detection, resists removal attempts, and can disable various security features, such as Defender, HVCI, and BitLocker. The malware's capabilities were confirmed in early March by researchers at ESET cybersecurity company, who noted that the malware functioned exactly as advertised.
UEFI malware is particularly challenging to detect as it runs before the operating system starts, allowing it to deploy payloads early in the boot process to disable security mechanisms. Analyzing devices compromised with BlackLotus, the Microsoft Incident Response team identified several points in the malware installation and execution process that allow its detection. Defenders can look for specific artifacts to determine a BlackLotus UEFI bootkit infection. One telltale sign is recently modified and locked files in the EFI system partition (ESP) location, especially if they match known BlackLotus bootloader file names. Microsoft recommends removing such devices from the network and examining them for evidence of BlackLotus activity.
To mount the boot partition and check the creation date of files with mismatched creation times, Microsoft suggests using the mountvol command-line utility. If the modification time does not look suspicious, threat hunters can try to calculate the hash of the bootloader file. On a compromised device, the output should be a file access error because BlackLotus locks them to prevent tampering. Another indication of BlackLotus is the presence of the "/system32/" directory on the ESP, which is the storage location for the files required to install the UEFI malware. Successful installation of BlackLotus results in deleting the files inside "ESP:/system32/" but the directory remains. Forensic analysts can use this to search for the removed files.
BlackLotus has the capability to disable the hypervisor-protected code integrity (HVCI), which allows it to load unsigned kernel code. This is achieved by changing the Enabled value of the HVCI registry key to 0 (zero). Another safety feature that BlackLotus disables is Microsoft Defender Antivirus, the default security agent on the Windows operating system. This action may leave traces in the Windows Event Logs in the form of an entry under the Microsoft-Windows-Windows Defender/Operational Log. Turning off Defender may also generate an Event ID 7023 in the System event log as a result of the service stopping unexpectedly.
Microsoft investigators advise threat hunters to examine network logs for outbound connections from winlogon.exe on port 80, which may indicate BlackLotus trying to communicate with its command and control (C2) server. Additional evidence of BlackLotus compromise can be present in the boot configuration logs - MeasuredBoot logs, that provide details about the Windows boot process. When the bootkit becomes active, two boot drivers become available, specifically grubx64.efi and winload.efi. By comparing the logs for each reboot of the system, analysts can find the components that have been added or removed from each machine boot.
To clean a machine after a BlackLotus infection, it must be removed from the network and reinstalled with a clean operating system and EFI partition, or restored from a clean backup with an EFI partition. Defenders can prevent compromise by detecting an intrusion before the adversary can deploy UEFI malware. Launching a UEFI bootkit requires privileged access to the target machine, either remote or physical, meaning that a first-stage threat and an initial access vector precede the persistent infection. To fend off an infection via BlackLotus or other malware exploiting CVE-2022-21894, Microsoft recommends organizations practice the principle of least privilege and credential hygiene, as well as implementing multiple layers of security controls to reduce the risk of an adversary gaining access or administrative privilege in the environment.