Microsoft has released a list to make it easier to spot a possible BlackLotus UEFI bootkit attack on your machine. The company is now giving tips and reminding you to use the security patch.
In January, Microsoft released information about a vulnerability known as Secure Boot Bypass (CVE-2022-21894). This was followed by the correction of the vulnerability on the January patch day.
At the beginning of March, it was announced that a previously unknown group had developed malware called BlackLotus, which was the first UEFI bootkit capable of defeating Windows’ Secure Boot feature. Now, Microsoft is once again emphasizing the importance of installing the January update and providing a guide to detecting BlackLotus malware infections. It’s not that easy.
If the UEFI bootkit has entered a computer or network using the CVE-2022-21894 vulnerability, it usually evades detection. The malware initially disables antivirus programs and resists removal attempts with appropriate tools. However, there are “side effects” that can indicate a BlackLotus infection.
When analyzing devices infected with BlackLotus, the Microsoft Incident Response Team identified several points in the malware’s installation and execution process that allow for detection.
Because BlackLotus needs to write malicious bootloader files to the EFI system partition, also known as ESP, it locks these files to prevent them from being deleted or modified. Recently modified and locked files in the ESP location, particularly if they match known BlackLotus bootloader filenames, “should be considered highly suspicious,” Microsoft said.
Microsoft recommends using the mountvol command line utility to mount the boot partition and check the creation dates of files with creation time mismatches. Another distinguishing feature of BlackLotus is the presence of the “/system32/” directory on the ESP, which stores the files required to install the UEFI malware. According to Microsoft, if BlackLotus is installed successfully, the files in the “ESP:/system32/” directory will be deleted, but the directory will remain.
Disabling antivirus programs is also an indication of hackers.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
