A new and rare breed of malware is said to be available on the black market, and it includes features normally reserved for hacking tools used by states, making it nearly impossible for any antivirus software to detect.
Known as BlackLotus, the malware is said to be a Unified Extensible Firmware Interface (UEFI) bootkit. UEFI is the computer standard that acts as an interface between the operating system and firmware; When you turn on your computer, the UEFI initiates a bootloader, which in turn boots the kernel and operating system.
By loading in the initial boot state, the malware embeds itself in a system’s firmware, allowing it to bypass all antivirus software security checks and thus go undetected.
In an online malware forum that appears to be selling BlackLotus licenses for $5,000 each, the vendor claims that even Safe Boot cannot slow down the tool because it uses a vulnerable bootloader. They also noted that adding this bootloader to the UEFI Revocation List (opens in new tab) would not solve the problem as there are currently hundreds of others with the same vulnerability that can be used instead.
Another attribute that makes BlackLotus so potentially dangerous is its apparent Ring 0/Kernel protection. Computers work with guard rings that divide the system into different layers based on how fundamental they are to the machine’s operation, to prevent potential threats and bugs from getting into other parts.
Access through these rings is becoming increasingly difficult. At the core is Ring 0, which contains the kernel: this connects your software to your hardware. This ring represents the highest level of protection in terms of access. So if BlackLotus does indeed have Ring 0 protection, it would be extremely difficult to get rid of.
The seller also claimed that BlackLotus has the ability to disable Windows Defender and is equipped with Anti-Debug to prevent detection by malware scans.
No longer in government hands
Experts warn that BlackLotus-scale malware is no longer the sole domain of governments and states. Sergey Lozhkin, the senior security researcher at Kaspersky, said (opens in new tab)“These threats and technologies used to only be accessible to people developing advanced persistent threats, mainly governments. Now these types of tools are in the hands of criminals on all forums.”
Last year another UEFI bootkit known as ESPecter was discovered and apparently developed at least 10 years ago for use on BIOS systems, the precursor to UEFI. Their availability outside of state groups is still very rare, at least for now.
Another security expert – Eclypsium CTO Scott Scheferman – tried to allay concerns by saying that they could not yet be certain of BlackLotus’ alleged claims, claiming that while this was a leap forward in terms of ease of access to such powerful tools, but this may still be in the early stages of production and not working as effectively as claimed.
Notwithstanding, progress in the world of cyber criminals moves very fast, and if profits can be made from the production and use of such powerful malicious software, then there will be no shortage of demand for its development and improvement. Once the cat is out of the bag, it’s very difficult to put it back in.
https://www.techradar.com/news/near-undetectable-hacking-tool-up-for-sale-on-malware-forum ‘Near-undetectable’ hacking tool up for sale on malware forum