Microsoft publishes guidance on how to detect UEFI bootkit hack


Microsoft has released a list to make it easier to spot a possible BlackLotus UEFI bootkit attack on your machine. The company is now giving tips and reminds you to use the security patch.

In January, Microsoft published information about a vulnerability known as a Secure Boot Bypass (CVE-2022-21894) got known. This was followed by the correction of the vulnerability on the January patch day.

At the beginning of March, it was announced that a previously unknown group had developed malware called BlackLotus, which was the first UEFI boot kit capable of defeating Windows’ Secure Boot feature. Now Microsoft is once again pointing out how important it is to install the January update and is providing one guide at handto detect BlackLotus malware infections. It’s not that easy.

Antivirus programs are turned off

If the UEFI bootkit has entered a computer or network using the CVE-2022-21894 vulnerability, it usually evades detection. The malware initially disables antivirus programs and resists removal attempts with appropriate tools. However, there are “side effects” that can indicate a BlackLotus infection.

When analyzing devices infected with BlackLotus, the Microsoft Incident Response Team identified several points in the malware’s installation and execution process that allow for detection.

Indications of BlackLotus UEFI bootkit infection are:

  • Recently created and locked bootloader files
  • Presence of a staging directory used during BlackLotus installation in the EPS:/ file system
  • Hypervisor Protected Code Integrity (HVCI) registry key change
  • network protocols
  • Boot configuration logs
  • Boot partition artifacts

Because BlackLotus needs to write malicious bootloader files to the EFI system partition, also known as ESP, it locks these files to prevent them from being deleted or modified. Recently modified and locked files in the ESP location, particularly if they match known BlackLotus bootloader filenames, “should be considered highly suspicious,” Microsoft said. Microsoft recommends using the mountvol command line utility to mount the boot partition and check the creation dates of files with creation time mismatches. Another distinguishing feature of BlackLotus is the presence of the “/system32/” directory on the ESP, which stores the files required to install the UEFI malware. According to Microsoft, if BlackLotus is installed successfully, the files in the “ESP:/system32/” directory will be deleted, but the directory will remain.

Disabling antivirus programs is also an indication of hackers.

Summary

  • Microsoft provides tips on how to detect a BlackLotus UEFI bootkit attack.
  • Use of the January security patch recommended.
  • Consider recently modified and locked bootloader files in ESP location as suspicious.
  • Using the mountvol command line utility to check the build date.
  • Presence of the “/system32/” directory on the ESP as an indication of BlackLotus infection.
  • Files in the “ESP:/system32/” directory are deleted, but the directory remains.
  • Reminder to use January security patch.

See also:


Internet, safety, security gap, hacker, security, attack, hack, crime, Trojan horse, virus, malware, exploit, cybercrime, cyber security, hacker attack, hacking, Internet crime, system, hacker attacks, hacker attack, hacking, attack, hacks, crime, Hacked, Pest, Hacked, System Hacked

Share This:

California18

Welcome to California18, your number one source for Breaking News from the World. We’re dedicated to giving you the very best of News.

Leave a Reply