A Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus is found to be capable of bypassing an essential platform security feature,\u00a0UEFI Secure Boot, according to researchers from Slovakia-based cybersecurity firm ESET.BlackLotus uses an old vulnerability and can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled, the researchers found.UEFI Secure Boot is a feature of the UEFI firmware, which is a successor to the traditional BIOS (Basic Input\/Output System) firmware found on older computers. Secure Boot is designed to ensure that the system boots only with trusted software and firmware. Bootkit on the other hand is a malware that infects the boot process of a computer.BlackLotus has been advertised and sold on underground forums for $5,000 since at least early October 2022, ESET said in a press statement.\u201cWe can now present evidence that the bootkit is real, and the advertisement is not merely a scam,\u201d Martin Smol\u00e1r, the ESET researcher who led the investigation into the bootkit, said in the press statement.BlackLotus uses old vulnerabilityBlackLotus takes advantage of a vulnerability that has been present for over a year (known as CVE-2022-21894) to bypass UEFI Secure Boot and establish persistence for the bootkit. This represents the initial instance of this vulnerability being publicly exploited in a real-world situation.Despite Microsoft releasing a fix for the vulnerability in January 2022, BlackLotus is capable of exploiting it and enabling attackers to disable security measures of the operating system, including BitLocker, HVCI, and Windows Defender.The bootkit has been able to still exploit the vulnerability post January fix because the validly signed binaries have still not been added to the UEFI revocation list, the mechanism to revoke the digital certificates of UEFI drivers.Due to the complexity of the whole UEFI ecosystem and related supply-chain problems, many of the UEFI vulnerabilities have left systems vulnerable even a long time after the vulnerabilities have been fixed, according to ESET.Bootkit deploys payload with kernel hackThe primary objective of BlackLotus, after it has been installed, is to initiate the deployment of a kernel driver, which serves to safeguard the bootkit against any attempts to eliminate it. It also deploys an HTTP downloader that enables communication with the Command and Control server and has the ability to load further user-mode or kernel-mode payloads.\u201cOur investigation started with a few hits on what turned out to be (with a high level of confidence) the BlackLotus user-mode component \u2014 an HTTP downloader \u2014 in our telemetry late in 2022,\u201d Smol\u00e1r said. \u201cAfter an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers. This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware.\u201dCertain BlackLotus installation packages, as analyzed by ESET, refrain from carrying out the installation of the bootkit in case the affected host employs regional settings associated with Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine.\u201cThe low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet,\u201d Smolar said. \u201cWe are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit\u2019s easy deployment and crimeware groups\u2019 capabilities for spreading malware using their botnets.\u201dThe ESET research team recommends keeping systems and its security products up to date to raise the chance that a threat will be stopped right at the beginning, before it\u2019s able to achieve pre-OS persistence.