Microsoft has shared guidance to help organizations check if hackers targeted or compromised machines with the BlackLotus UEFI bootkit by exploiting the CVE-2022-21894 vulnerability.
Organizations and individuals can also use Microsoft’s advice to recover from an attack and to prevent threat actors using BlackLotus from achieving persistence and evading detection.
BlackLotus has been available since last year on hacking forums, advertised as a piece of malware that evades antivirus detection, resists removal attempts, and can disable various security features (e.g. Defender, HVCI, BitLocker). The price for a license was $5,000, with rebuilds available for $200.
The capabilities of the malware were confirmed in early March by researchers at ESET cybersecurity company, who noted that the malware functioned exactly as advertised.
Locating BlackLotus infection clues
Malware for the Unified Extensible Firmware Interface (UEFI) is particularly challenging to detect as these threats run before the operating system, being capable to deploy payloads early on in the boot process to disable security mechanisms.
Analyzing devices compromised with BlackLotus, the Microsoft Incident Response team identified several points in the malware installation and execution process that allow its detection.
The researchers note that defenders can look for the following artifacts to determine a BlackLotus UEFI bootkit infection:
- Recently created and locked bootloader files
- Presence of a staging directory used during the BlackLotus install in the EPS:/ filesystem
- Registry key modification for the Hypervisor-protected Code Integrity (HVCI)
- Network logs
- Boot configuration logs
Boot partition artifacts
Since BlackLotus needs to write malicious bootloader files to the EFI system partition, also referred to as ESP, it will lock them to prevent their deletion or modification.
Recently modified and locked files in the ESP location, especially if they match known BlackLotus bootloader file names “should be considered highly suspect.” It is advised to remove the devices from the network and examine them for evidence of activity related to BlackLotus.
Microsoft recommends using the mountvol command-line utility to mount the boot partition and check the creation date of the files with mismatched creation times.
Timestamps for boot files added by BlackLotus UEFI malware
You can mount the ESP partition using the following command in a Command Prompt with Administrator privileges:
mountvol[available drive letter] /s
For instance, if the G: drive letter is free, you can execute this command:
mountvol g: /s
If the modification time does not look suspicious, threat hunters can try to calculate the hash of the bootloader file. On a compromised device the output should be a file access error because BlackLotus locks them to prevent their tampering.
Another tell of BlackLotus is the presence of the “/system32/” directory on the ESP, which is the storage location for the files required to install the UEFI malware.
Microsoft says that successful installation of BlackLotus results in deleting the files inside “ESP:/system32/” but the directory remains. Forensic analysts can use this to search for the removed files.
BlackLotus UEFI malware components in EFI partition
Registry, logs, and network clues
One of the BlackLotus capabilities is to disable the hypervisor-protected code integrity (HVCI), which allows it to load unsigned kernel code.
This is achieved by changing to 0 (zero) the Enabled value of the HVCI registry key, as in the image below.
BlackLotus UEFI bootkit disables HVCI security feature
A second safety feature that BlackLotus disables is Microsoft Defender Antivirus, the default security agent on the Windows operating system.
This action may leave traces in the Windows Event Logs in the form of an entry under the Microsoft-Windows-Windows Defender/Operational Log.
BlackLotus UEFI bootkit disables Microsoft Defender Antivirus
Turning off Defender may also generate an Event ID 7023 in the System event log as a result of the service stopping unexpectedly.
Microsoft investigators advise threat hunters to examine network logs for outbound connections from winlogon.exe on port 80, which may be indicative of BlackLotus trying to communicate with its command and control (C2) server.
“This is the result of the injected HTTP downloader function of BlackLotus connecting to the C2 server or performing network configuration discovery” – Microsoft
Additional evidence of BlackLotus compromise can be present in the boot configuration logs – MeasuredBoot logs, that provide details about the Windows boot process.
When the bootkit becomes active, two boot drivers become available, specifically grubx64.efi and winload.efi. By comparing the logs for each reboot of the system, analysts can find the components that have been added or removed from each machine boot.
BlackLotus UEFI bootkit components in MeasuredBoot logs
Microsoft warns that accessing the MeasuredBoot log files is possible using a forensic image or raw NTFS reading tool.
The data can be read after decoding and converting it to XML or JSON file format. Microsoft provides a sample script based on the open-source TCGLogTools for parsing and extracting the logs
Below is an example of the BlackLotus drivers the sample script showed on an infected machine:
Script shows boot components on machine infected with BlackLotus
Preventing BlackLotus compromise
Cleaning a machine after a BlackLotus infection requires removing it from the network and reinstalling it with a clean operating system and EFI partition, or restoring from a clean backup with an EFI partition.
While the post-infection artifacts are revealing in determining the type of malware used, defenders can prevent the compromise by detecting an intrusion before the adversary can deploy UEFI malware.
Launching a UEFI bootkit, though, requires privileged access to the target machine, either remote or physical, meaning that a first-stage threat and an initial access vector precede the persistent infection.
To fend off an infection via BlackLotus or other malware exploiting CVE-2022-21894, Microsoft recommends organizations practice the principle of least privilege and credential hygiene.
“Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access trojans (RATs) and other unwanted applications” – Microsoft
By implementing multiple layers of security controls, the so-called defense in-depth strategies, organizations can reduce the risk of an adversary gaining access or administrative privilege in the environment.
This can essentially stop a BlackLotus attack in its earlier stages before the threat actor can compromise a user or service account credentials to move laterally on the network and escalate their privileges.