Blacklotus

Malware updated 2 months ago (2024-09-13T19:17:43.052Z)
Download STIX
Preview STIX
BlackLotus is a harmful malware that targets the Unified Extensible Firmware Interface (UEFI) and Secure Boot systems, exploiting their vulnerabilities to gain persistent kernel access and privileges. It was first detected in 2022 when security researchers discovered a UEFI bootkit being sold on hacking forums for $5,000. By late 2022, BlackLotus had evolved into a user-mode component—an HTTP downloader—identified through telemetry data. The malware has the ability to bypass secure boot functionality, designed to prevent malware from loading during system startup, thereby disrupting operations and potentially stealing personal information. In May 2023, Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) that was actively being exploited by the BlackLotus bootkit. This exploitation required either physical access or administrative rights to the system. Despite this patch, the threat persisted, with BlackLotus continuing to exploit the system's vulnerabilities, highlighting the ongoing challenges in maintaining Secure Boot security. The malware, which was also sold on Dark Web forums for $5,000, demonstrated the potential for future malicious activity related to Secure Boot. Solutions like Eclypsium's help enterprises monitor and track firmware threats throughout the infrastructure supply chain, including detecting BlackLotus, tampering of bootloaders and firmware, and supporting critical firmware updates for remediation. However, experts warn of an increasing number of implants exploiting similar flaws to maintain persistence, evading higher-level security measures. Therefore, it is crucial for organizations to remain vigilant about such threats and ensure they have robust security measures in place to mitigate the risks associated with malware like BlackLotus.
Description last updated: 2024-09-13T19:16:11.201Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CVE-2022-21894 is a possible alias for Blacklotus. CVE-2022-21894, also known as "Baton Drop," is a significant vulnerability in software design or implementation that affects Windows machines. It was identified and patched by Microsoft in January 2022. This flaw bypasses security features during the device's startup process, specifically the Secure
8
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Bootkit
Vulnerability
Malware
Windows
Microsoft
Exploit
exploited
flaw
Nsa
Rootkit
Eset
Payload
Firmware
Exploits
Downloader
Github
Zero Day
Loader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The LoJax Malware is associated with Blacklotus. LoJax is a unique and sophisticated piece of malware that targets the Unified Extensible Firmware Interface (UEFI) of a computer. First detected in 2018, LoJax was attributed to the Sednit group, also known as Fancy Bear, and it represented a significant leap in malware technology by being the firstUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-24932 Vulnerability is associated with Blacklotus. CVE-2023-24932 is a significant vulnerability identified in Microsoft's Secure Boot Security Feature. This flaw in software design or implementation allowed for a bypass of the Secure Boot function, presenting a considerable security risk. The vulnerability was exploited in the wild and became assocUnspecified
5
The Baton Drop Vulnerability is associated with Blacklotus. The Baton Drop vulnerability, designated CVE-2022-21894, is a flaw in the Windows boot loader that can be exploited to bypass Secure Boot - a security control that protects a Windows system during startup. This vulnerability was targeted by BlackLotus, a software threat that exploits two vulnerabiliUnspecified
4
Source Document References
Information about the Blacklotus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
2 months ago
DARKReading
4 months ago
Securityaffairs
5 months ago
BankInfoSecurity
5 months ago
DARKReading
7 months ago
Krebs on Security
7 months ago
DARKReading
9 months ago
Unit42
9 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
ESET
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago