"BlackLotus UEFI Bootkit Source Code Leaked on GitHub"

The source code for the BlackLotus UEFI bootkit has recently been shared publicly on GitHub, albeit with several modifications compared to the original malware.  The bootkit is designed specifically for Windows and emerged on hacker forums in October last year, being advertised with APT-level capabilities such as secure boot and user access control (UAC) bypass and the ability to disable security applications and defense mechanisms on victim systems.  BlackLotus is able to persist in the firmware, which means it can be used to load unsigned drivers and has been observed exploiting CVE-2022-21894, a year-old vulnerability in Windows, to disable secure boot even on fully patched systems.  In April, Microsoft released resources to help threat hunters identify BlackLotus infections.  The BlackLotus source code that was published on GitHub on Wednesday has been stripped of the "Baton Drop" exploit targeting CVE-2022-21894 and uses the bootlicker UEFI firmware rootkit but contains the rest of the original code.  According to Alex Matrosov, CEO of firmware security company Binarly, the public availability of the bootkit's source code represents a significant risk mainly because it can be combined with new exploits and create new attack opportunities.  

 

SecurityWeek reports: "BlackLotus UEFI Bootkit Source Code Leaked on GitHub"

Submitted by Anonymous on