"Unkillable UEFI Malware Bypassing Secure Boot Enabled by Unpatchable Windows Flaw"
Researchers at the security company ESET have reported the discovery of the first known case of real-world malware that can take over a computer's boot process even when Secure Boot and other advanced defenses are active and running on fully updated Windows systems. The malware, dubbed BlackLotus, is a Unified Extensible Firmware Interface (UEFI) bootkit. This type of malware infects the UEFI, the complex and low-level firmware chain responsible for starting nearly every modern computer. The UEFI is in an SPI-connected flash storage chip soldered to the motherboard, thus making it difficult to check or patch. Since the UEFI is the first to execute when a computer is turned on, it influences the operating system, security applications, and all other software that follows, which makes the UEFI the ideal environment for malware. When successful, UEFI bootkits deactivate operating system security protections and ensure that a computer remains infected with stealthy malware that operates in kernel mode or user mode, even after reinstalling the operating system or replacing the hard drive. The researchers detailed the UEFI bootkit that circumvents Secure Boot on fully updated UEFI systems running fully updated Windows 10 and 11 versions. Although there are no strings or other evidence clearly identifying the makers of the bootkit, ESET researchers have determined that it likely corresponds to BlackLotus, a bootkit that has been sold in underground cybercrime forums since last year. This article continues to discuss findings from the analysis of the world's first in-the-wild UEFI bootkit that evades Secure Boot on fully updated UEFI systems running fully updated versions of Windows 10 and 11.