Microsoft reveals there are methods IT groups can detect an “invisible” and stubbornly persistent piece of malware (opens in new tab) referred to as BlackLotus, because the Redmond big publishes detailed steering on defending towards the UEFI bootkit.
BlackLotus is a classy malware variant that targets the Unified Extensible Firmware Interface, or UEFI, that boots up just about each element of in the present day’s computer systems.
Because it runs earlier than the pc’s working system, putting the malware right here means it will probably disable antivirus protections and even stay operational whereas safety options are up and working. It additionally signifies that the malware will stay on the system even after the working system is reinstalled – and even when the sufferer replaces the laborious drive.
Recognizing the malware
Risk actors normally look to deploy BlackLotus by leveraging a vulnerability tracked as CVE-2022-21894. The malware is on sale on the darkish boards, going for roughly $5,000, BleepingComputer experiences. Rebuilds can be found for roughly $200.
All of this makes it very laborious to detect and take away. Nonetheless, with Microsoft’s steering, it needs to be considerably simpler. As per the report, analyzing these artifacts will help decide in case your system has been contaminated with the BlackLotus UEFI bootkit:
- Not too long ago created and locked bootloader recordsdata
- Presence of a staging listing used through the BlackLotus set up within the EPS:/ filesystem
- Registry key modification for the Hypervisor-protected Code Integrity (HVCI)
- Community logs
- Boot configuration logs
- Boot partition artifacts
To wash a tool from a BlackLotus compromise, one should take away it from the community, and reinstall it with a clear working system and EFI partition, the researchers instruct. Alternatively, they’ll restore it from a clear backup with an EFI partition.
It’s additionally price mentioning that risk actors must leverage a particular vulnerability – CVE-2022-21894 – to deploy BlackLotus. Having a patch put in which addresses this vulnerability may assist defend the system from future infections.
Lastly, as the corporate says: “Keep away from using domain-wide, admin-level service accounts. Proscribing native administrative privileges will help restrict set up of distant entry trojans (RATs) and different undesirable purposes”.
Through: BleepingComputer (opens in new tab)