Windows 10: Deducting and preventing Blacklotus bootkit injected files in to EFI partition and inside...

RAJU.MSC.MATHEMATICS · May 14, 2023

This article provides steps to deducting BLACKLOTUS bootkit-infected EFI partition files and disabling security features inside Windows 11 and Windows 10.My laptop hardware is working with Windows 11 64 22H2 Build no 22622.1702.Step1 Boot Windows os with normal modeOpen Command prompt application with administrator rights type the below command to mount efi partition with the letter available say XMountvol X: /sStep2Find all files included under the boot folder in the EFI partition, to viewtype below command Dir X:EFI\Microsoft\Boot\*.efiThe following files are included in the Boot folder1.

:)

Brink · May 14, 2023

BlackLotus UEFI bootkit: Myth confirmed

The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn’t gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature – UEFI Secure Boot – is now a reality. In this blogpost we present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022.

UEFI bootkits are very powerful threats, having full control over the OS boot process and thus capable of disabling various OS security mechanisms and deploying their own kernel-mode or user-mode payloads in early OS startup stages. This allows them to operate very stealthily and with high privileges. So far, only a few have been discovered in the wild and publicly described (e.g., multiple malicious EFI samples we discovered in 2020, or fully featured UEFI bootkits such as our discovery last year – the ESPecter bootkit – or the FinSpy bootkit discovered by researchers from Kaspersky).

UEFI bootkits may lose on stealthiness when compared to firmware implants – such as LoJax; the first in-the-wild UEFI firmware implant, discovered by our team in 2018 – as bootkits are located on an easily accessible FAT32 disk partition. However, running as a bootloader gives them almost the same capabilities as firmware implants, but without having to overcome the multilevel SPI flash defenses, such as the BWE, BLE, and PRx protection bits, or the protections provided by hardware (like Intel Boot Guard). Sure, UEFI Secure Boot stands in the way of UEFI bootkits, but there are a non-negligible number of known vulnerabilities that allow bypassing this essential security mechanism. And the worst of this is that some of them are still easily exploitable on up-to-date systems even at the time of this writing – including the one exploited by BlackLotus.

Our investigation started with a few hits on what turned out to be the BlackLotus user-mode component – an HTTP downloader – in our telemetry late in 2022. After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers (both on VirusTotal and in our own telemetry). This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware.
Click to expand...

Read more: BlackLotus UEFI bootkit: Myth confirmed | WeLiveSecurity

trog100 · May 14, 2023

Move EFI partition

its to enable win 10 to update to its anniversary edition.. it cant do this due to lack of C drive space i have had a quick try with the trial version of easus.. it didnt seem to be able to do what i want..

i am assuming i cant just delete the efi partition but maybe i could.. as yet i havnt even figured out how to get into the bios of the thing.. maybe that should be my next step.. *Smile

diskpart could probably do it but figuring out how (it aint that user friendly) might be difficult without step by step instructions..

trog

Try3 · May 14, 2023

BlackLotus UEFI bootkit: Myth confirmed

Thanks for posting this.

I'm confused by two parts of the Eset description:
1 The third item in the section Following are the key points about BlackLotus and a timeline summarizing the series of events related to it

Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.
Click to expand...

2 Under the heading Mitigations and remediation

First of all, of course, keeping your system and its security product up to date is a must – to raise a chance that a threat will be stopped right at the beginning, before it’s able to achieve pre-OS persistence.
Click to expand...

I think they are saying that an MS update fixed the problem of future infiltration but did not fix the problem for systems that have already been infiltrated.
But I'm not sure.
Perhaps my interpretation is too optimistic.

I also noticed, under the heading Step 3 – Disabling BitLocker, "... would lead to a BitLocker recovery screen at the next bootup and would tip the victim off that the system had been compromised".
There have been some Ten/ElevenForums reports of this recovery screen appearing unexpectedly.

All very worrying,
Denis

Windows 10: Deducting and preventing Blacklotus bootkit injected files in to EFI partition and inside...

Deducting and preventing Blacklotus bootkit injected files in to EFI partition and inside...

Deducting and preventing Blacklotus bootkit injected files in to EFI partition and inside...

Deducting and preventing Blacklotus bootkit injected files in to EFI partition and inside...

Deducting and preventing Blacklotus bootkit injected files in to EFI partition and inside... - Similar Threads - Deducting preventing Blacklotus

How to access files in the EFI partition

How to access files in the EFI partition

Deducting and preventing Blacklotus bootkit injected files in to EFI partition and inside...

Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot

EFI Partition

EFI Partition

EFI Partition

Access to EFI Partition

EFI partition deleted