Microsoft has provided some tips for detecting hard-to-find malware called BlackLotus. This type of virus is quite sophisticated and targets the Unified Extensible Firmware Interface (UEFI), which is the first thing to activate when we turn on the computer. Because it works before the PC’s own operating system, it can “hide” from the antivirus and stay on the machine even if everything is reinstalled or if there is a hard drive exchange.
According to Microsoft, cybercriminals use the CVE-2022-21894 vulnerability to deploy BlackLotus UEFI Bootkit on the victim’s machine. However, the Redmond company pointed to the analysis of certain parts to try to identify the virus:
Recently created and locked boot loader files;
Presence of a staging directory used during BlackLotus installation on EPS:/ file system;
Modification of the registry key for Hypervisor-Protected Code Integrity (HVCI);
Network logs;
Startup configuration logs;
Boot partition artifacts.
In addition, because the malware uses the CVE-2022-21894 vulnerability, you can protect your device if you use a patch to resolve this issue beforehand.
Microsoft also suggests to “avoid using service accounts at the administrator level. Restricting local administrative privileges can help limit the installation of remote access Trojans (RATs) and other unwanted applications.”
BlackLotus costs more than $ 20,000
This virus has been available since 2022 on various hacker forums and the like. In their sale announcement, cybercriminals say the malware can evade antivirus detection, resist removal attempts, and can disable various security features.
Thus, the price of a license is around $ 5,000 (close to $ 24,000 in a direct conversion), while rebuilds are costing $ 200 (around $ 984).
Vendors claim that BlackLotus has built-in Ring0/Kernel protection against removal, can boot into recovery or security mode, and has the Secure Boot bypass feature built in.
According to Microsoft, after identifying the malware on the computer, the person needs to remove the device from the network and reinstall it with a clean operating system and EFI partition. Moreover, a user can restore the system from a clean backup with an EFI partition.