‘Near-undetectable’ hacking tool up for sale on malware forum
>
A new and rare type of malware is reportedly available on the black market, with features usually reserved for hacking tools used by states making it virtually impossible for antivirus software to detect.
Known as BlackLotus, the malware is claimed to be a Unified Extensible Firmware Interface (UEFI) bootkit. UEFI is the computer standard that acts as an interface between the operating system and the firmware; when you turn on your computer, the UEFI starts a bootloader, which in turn boots the kernel and the operating system.
By loading at the initial boot state, the malware embeds itself in a system’s firmware, allowing it to bypass all security checks of antivirus software and thus go undetected.
Heavyweight Features
On an online malware forum where BlackLotus licenses are apparently sold for $5,000 each, the vendor claims that even Safe Boot will not thwart the tool, as it uses a vulnerable boot loader. They further noted that adding this bootloader to the UEFI Revocation List (opens in new tab) wouldn’t fix the problem as there are currently hundreds of others with the same vulnerability that could be used instead.
Another feature that makes BlackLotus so potentially dangerous is the apparent Ring 0/kernel protection. Computers work with protection rings that divide the system into different levels based on how fundamental they are to the machine’s operation, to prevent potential threats and errors from leaking to other parts.
Gaining access through these rings is becoming increasingly difficult. The core is Ring 0, which contains the kernel: this is what connects your software to your hardware. This ring represents the highest level of protection in terms of access, so if BlackLotus does indeed have ring 0 protection, it would be extremely difficult to get rid of.
The seller also claimed that BlackLotus has the ability to disable Windows Defender and comes with anti-debug to avoid detection by malware scans.
No longer in state hands
Experts warn that malware on the scale of BlackLotus is no longer the sole province of governments and states. Sergey Lozhkin, the principal security researcher at Kaspersky stated: (opens in new tab)“These threats and technologies were previously only accessible to guys who developed sophisticated, persistent threats, mostly governments. Now these kinds of tools are in the hands of criminals all over the forums.”
Last year a UEFI boot kit known as ESPecter was discovered and was apparently designed at least 10 years ago for use on BIOS systems, the predecessor to UEFI. Their availability outside of state-run groups still remains very rare, at least for now.
Another security expert — Eclypsium CTO Scott Scheferman — tried to allay the concerns by saying they couldn’t be sure of BlackLotus’s claims just yet, claiming that while it could be a leap forward in terms of easy access to such powerful tools, it may still be in its infancy and not working as effectively as claimed.
Anyway, the advancement in the world of cyber criminals is very fast, and if profits can be made from the production and use of this powerful malicious software, then there will be no shortage of demand for its development and improvement. Once the cat is out of the bag, it is very difficult to put it back in.