Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
New UEFI rootkit Black Lotus offered for sale at $5,000
#1
https://securityaffairs.co/wordpress/137...otkit.html          New UEFI rootkit Black Lotus offered for sale at $5,000
October 17, 2022  By Pierluigi Paganini

Black Lotus is a new, powerful Windows UEFI rootkit advertised on underground criminal forums, researcher warns.
Cybersecurity researcher Scott Scheferman reported that a new Windows UEFI rootkit, dubbed Black Lotus, is advertised on underground criminal forums. The powerful malware is offered for sale at $5,000, with $200 payments per new updates.

The researcher warns that the availability of this rootkit in the threat landscape represents a serious threat for organizations due to its evasion and persistence capabilities.

“Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we’ve made (e.g. Trickbot‘s #Trickboot module), this represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction.” wrote Scheferman.

Black Lotus is written in assembly and C and is only 80kb in size, the malicious code can be configured to avoid infecting systems in countries in the CIS region.
The malware supports anti-virtualization, anti-debugging, and code obfuscation. Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities.

The threat is very stealth, it can achieve persistence at the UEFI level with Ring 0 agent protection.

Black Lotus supports a full set of backdoor capabilities, it could be also used to potential target IT and OT environments.

Black Lotus is bringing APT capabilities to malicious actors in the threat landscape.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, rootkit)
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  New Microsoft-signed rootkit Jeanjean 0 502 10-23-2021 , 11:34 AM
Last Post: Jeanjean
  Microsoft signed a malicious Netfilter rootkit G DATA Blog mrtrout 0 1,874 06-26-2021 , 02:50 AM
Last Post: mrtrout
  Refunds Offered to Victims of Ziggy Ransomware Gang Bjyda 0 841 03-31-2021 , 07:55 PM
Last Post: Bjyda
  Babax stealer rebrands to Osno, installs rootkit mrtrout 0 1,084 11-06-2020 , 11:53 PM
Last Post: mrtrout
  What is a rootkit? (Avira ) mrtrout 1 951 09-11-2020 , 01:06 PM
Last Post: Mike

Forum Jump:


Users browsing this thread: 1 Guest(s)