What Is a Bootkit Malware Embedded in UEFI?

Bootkit Malware

Bootkit malware is a specialized form of spyware that allows threat actors to steal information and conduct illegal activities while subverting operating system security mechanisms. Such stealthy tools are difficult for cybersecurity teams to detect and neutralize.

BlackLotus UEFI bootkit leverages a flaw (CVE-2022-2894) to achieve persistence and defeat security measures such as BitLocker, Hypervisor-protected Code Integrity, and Windows Defender. Furthermore, this Trojan is equipped with tools to drop kernel drivers as well as communicate with its command and control (C2) server.

UEFI Bootkits

UEFI (Unified Extensible Firmware Interface) is the low-level software that acts as an intermediary between device firmware and an operating system, giving rootkits the chance to remain undetected during bootup phase.

Traditional bootloaders tend to load from files stored on hard drives or optical discs; in contrast, UEFI-based bootloaders load directly from a partition known as Executable Program Space (ESP), which serves as a quick route into kernel memory on motherboards and provides fast access. Therefore, these types of bootloaders have greater chances of going undetected even by antivirus scanners.

Although UEFI bootkits may not be as widespread as rootkits, their ability to remain hidden from antivirus programs and scanners makes them particularly dangerous. Furthermore, their persistent nature compared to other types of bootkits makes UEFI bootkits especially dangerous since they reside nested within the firmware and therefore survive even after OS installation or hard disk replacement has taken place.

BlackLotus, sold for $5,000 since 2022 on hacker forums, takes advantage of an exploit that was patched over a year ago (CVE number 2022-1894) to bypass UEFI Secure Boot and achieve persistent persistence. To do this, it employs kernel drivers to disable operating system security mechanisms – including BitLocker and Windows Defender- and an HTTP downloader to load additional malicious payloads onto an HTTP downloader server.

BlackLotus installs its bootkit files in the EFI system partition, meaning it does not require direct access to SPI flash storage chips for installation. Instead, BlackLotus utilizes its bootloader config space to set up a DHCP server that transmits its files over network connection to victims.

UEFI bootkits take effect before any operating system loads, giving it the opportunity to bypass various security measures and introduce its own. This includes installing kernel-mode or user-mode payloads at early boot stages; disabling security mechanisms of various operating systems; and installing malware known as DerStarke for macOS users.

Legacy Bootkits

As cybercrime becomes more sophisticated, cybercriminals find new ways to subvert operating systems. Bootkits allow them to gain control before the operating system launches – most use kernel-mode code, while some work right from the boot process itself or exploit hardware features not intended to be utilized by software.

Bootkits first made an appearance in malware as hackers realized that by bypassing Microsoft’s code-signing policy and installing kernel-mode drivers they would be able to gain greater control of systems than ever before – quickly making bootkits an incredibly popular infection vector.

Bootkits often work by infiltrating the MBR (Master Boot Record) or VBR (Volume Boot Record). These infections are simpler than those involving the UEFI firmware; as the MBR contains both boot code for hard drives and partition tables; bootkits typically back up the original MBR before overwriting it with their own and writing weakly encrypted components to the disk.

Older bootkits may not be as stealthy, but they still give attackers an advantage against antivirus and other security tools that run in Windows user mode. Furthermore, these older bootkits can persist through reboots, hard drive replacements and other system changes.

FinFisher was discovered as part of FinSpy spyware suite which was sold and marketed to government agencies; its UEFI bootkit component had been in operation since 2014.

Some legacy bootkits utilize similar attack techniques as modern UEFI bootkits: adding a small piece of software that hides their presence to both MBR and boot loader files. One common technique involves writing data with a random XOR pattern into MBR, providing both protection from detection as well as easy identification during scans.

Advanced bootkits target the DXE stage of bootup by installing an unsigned DXE driver that adds malicious content. This method is more stealthy than using only ESP files to deploy malware; however, this prevents Secure Boot from working as this driver cannot be signed.

Windows Rootkits

Rootkits work at the kernel level of a computer system, providing attackers with unauthorised privileged access. Attackers often exploit software or hardware flaws to gain entry and exploit device capabilities – this enables rootkits to take control of systems, steal data or surveil users while remaining undetected since rootkits operate at this depth and hide from anti-malware programs and other software.

Rootkits that infiltrate Windows systems are commonly known as bootkits. Running concurrently with the operating system, they attach themselves to either Master Boot Record or Volume Boot Record codes – instructing computers how to load an OS – while remaining undetected. Bootkits may also attach themselves to hardware and firmware allowing them to capture information written to hard disks or intercept network communications without detection.

Once installed, rootkits can remain undetected for years while collecting data or resources that attackers could then use as leverage against other threats, including spyware, ransomware and even viruses.

To protect against cyberthreats, it’s vital to employ the same security practices you would for any other cyberattack. Keep antivirus software, OS and applications updated; run regular scans using Norton Power Eraser; avoid suspicious websites and download files only from reliable sources; practice good cyber hygiene including staying away from suspicious websites and sources when browsing or downloading files; as well as practicing good cyber hygiene including staying clear of suspicious domain names and downloading only files from trustworthy sources.

Though these steps can help, you remain vulnerable to becoming the next target of a sophisticated rootkit. These attacks are highly sophisticated and even the most cautious internet users may fall prey. Luckily, Norton cybersecurity software provides real-time malware protection and website scanning features designed to safeguard both devices and information.

Linux Rootkits

Rootkits are malicious code that infiltrate the kernel, the most privileged piece of code within an operating system (ring 0). Rootkits can intercept and redirect all operations within the kernel itself as well as those performed by third-party applications, hiding files and processes from forensic tools and even subverting or bypassing APIs used to scan for malicious activity.

As our global society rapidly shifts towards digitization, threats have become more sophisticated in their methods of attack. More often than ever before, attackers use kernel rootkits to bypass detection by gaining administrator-level access and then hiding their presence by making changes to system settings or running hidden commands – leaving security professionals vulnerable. Without proper knowledge about different types of Linux rootkits as well as construction techniques or ways of detecting them, security professionals could fall prey to these dangerous threats.

One type of rootkit designed to penetrate the kernel is known as a bootkit. This form of malicious software replaces the original boot loader, enabling an attacker to run malicious code before booting up their operating system. Furthermore, bootkits may target full disk encryption systems, giving hackers an avenue through which they can gain access to sensitive information even after rebooting or reinstalling an OS.

Hypervisor-based rootkits, which exploit hardware virtualization capabilities to take control of a host computer, can also be very difficult to detect and clean because they operate at much higher privilege levels than the operating system itself, making memory dumps from this source ineffective against them.

Loader rootkits are another type of kernel-mode rootkit. These programs infiltrate kernel modules that run device drivers such as hard drives, routers, network cards and the system BIOS to infect firmware that enables hackers to intercept any written to disk or transmitted over networks.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.