Blacklotus Windows UEFI malware source code published on GitHub

Part of the Blacklotus malware source code for Windows UEFI was published on GitHub. This can pose a serious security risk to Windows users, as the malware can now be easily downloaded and run by anyone.

BlackLotus is a bootloader that targets Windows and can bypass the mechanism secure boot, which blocks untrusted bootloaders on computers with UEFI firmware and a TPM chip. This security feature is designed to prevent rootkits from being loaded during the startup process and to evade detection by applications running on Windows.

BlackLotus can also disable BitLocker Data Protection, Microsoft Defender Antivirus, and Hypervisor Code Integrity (HVCI) Protection – also known as the Memory Integrity feature, which protects against attempts to exploit the Windows kernel.

BlackLotus was the first discovered example of a UEFI bootloader that could bypass the Secure Boot mechanism and disable OS-level security. This was achieved initially by exploiting the “Baton Drop” vulnerability ( CVE-2022-21894 ), which Microsoft fixed in January 2022.

This led to another security update for CVE-2023-24932 (another secure boot bypass), which revoked other malicious boot managers.

However, Microsoft has disabled the update for CVE-2023-24932 by default, requiring Windows users to complete a lengthy and somewhat complicated manual installation to fix their systems.

How warned Microsoft, installing a security patch incorrectly could result in your system not starting or recovering from Windows Setup, so many choose not to install the update, leaving devices vulnerable to Secure Boot bypass attacks.

Due to the concern and stealth of the BlackLotus malware by both Microsoft and the NSA shared guidance to detect and remove the bootloader from Windows.

BlackLotus was originally sold on hacker forums for as little as $5,000, allowing attackers of any skill level to gain access to malware commonly associated with government-backed hacker groups.

However, the attacker kept the source code under wraps, offering $200 rebuilds to customers who wanted to customize the bootloader.

Binarly today announced that the BlackLotus UEFI bootloader source code has been published on GitHub by user “Yukari”.

Yukari says that the source code has been changed, it has removed Baton Drop vulnerability and instead use rootkit UEFI bootlicker which is based on UEFI APT rootkits Cosmic Strand , Moonbounce And ESPECTER .

“The leaked source code is not complete and contains mostly part of the rootkit and bootloader code to bypass Secure Boot,” said Alex Matrosov, co-founder and CEO of Binarly.

It’s important to highlight that while Microsoft has fixed Secure Boot bypasses in CVE-2022-21894 and CVE-2023-24932, the security update is optional and patches are disabled by default.