Home » Technology » Microsoft » UEFI Bootkit Hack: Microsofts Issues Guidance To Avoid

UEFI Bootkit Hack: Microsofts Issues Guidance To Avoid

Microsoft has released a list to make it easier to spot a possible BlackLotus UEFI bootkit attack on your machine. The company is now giving tips and reminding you to use the security patch.

In January, Microsoft released information about a vulnerability known as Secure Boot Bypass (CVE-2022-21894). This was followed by the correction of the vulnerability on the January patch day.

At the beginning of March, it was announced that a previously unknown group had developed malware called BlackLotus, which was the first UEFI bootkit capable of defeating Windows’ Secure Boot feature. Now, Microsoft is once again emphasizing the importance of installing the January update and providing a guide to detecting BlackLotus malware infections. It’s not that easy.

Antivirus programs are turned off

If the UEFI bootkit has entered a computer or network using the CVE-2022-21894 vulnerability, it usually evades detection. The malware initially disables antivirus programs and resists removal attempts with appropriate tools. However, there are “side effects” that can indicate a BlackLotus infection.

When analyzing devices infected with BlackLotus, the Microsoft Incident Response Team identified several points in the malware’s installation and execution process that allow for detection.

Indications of BlackLotus UEFI bootkit infection are:

  • Recently created and locked bootloader files
  • Presence of a staging directory used during BlackLotus installation in the EPS:/ file system
  • Hypervisor Protected Code Integrity (HVCI) registry key change
  • network protocols
  • Boot configuration logs
  • Boot partition artifacts

Because BlackLotus needs to write malicious bootloader files to the EFI system partition, also known as ESP, it locks these files to prevent them from being deleted or modified. Recently modified and locked files in the ESP location, particularly if they match known BlackLotus bootloader filenames, “should be considered highly suspicious,” Microsoft said.

Microsoft recommends using the mountvol command line utility to mount the boot partition and check the creation dates of files with creation time mismatches. Another distinguishing feature of BlackLotus is the presence of the “/system32/” directory on the ESP, which stores the files required to install the UEFI malware. According to Microsoft, if BlackLotus is installed successfully, the files in the “ESP:/system32/” directory will be deleted, but the directory will remain.

Disabling antivirus programs is also an indication of hackers.