ESET Research Podcast: Finding the mythical BlackLotus bootkit

Cyber Security

A story of how an analysis of a supposed game cheat turned into the discovery of a powerful UEFI threat

Towards the end of 2022 an unknown threat actor boasted on an underground forum that they’d created a new and powerful UEFI bootkit called BlackLotus. Its most distinctive feature? It could bypass UEFI Secure Boot – a feature built into all modern computers to prevent them from running unauthorized software.

What at first sounded like a myth – especially on a fully updated Windows 11 system – has turned into reality a few months later, when ESET researchers found a sample that perfectly matched this main feature as well as all other attributes of the advertised bootkit.

In this episode of ESET Research podcast, ESET Distinguished Researcher and host of this podcast Aryeh Goretsky talks to ESET Malware Researcher Martin Smolár about how he discovered the threat and what the main findings of his analysis were.

In the discussion, Martin reveals that he initially considered the BlackLotus sample to be a game cheat and describes the moment when he realized that he had found something much more dangerous. To avoid a common misconception, Martin also explains the difference between malicious UEFI firmware implants and threats that “only” target the EFI partition. To make the information actionable for our listeners, the final part of the discussion explores the prevention and mitigation of UEFI attacks.

For more details such as who might be affected by BlackLotus or how a threat actor might obtain the bootkit, listen to the whole episode of ESET Research podcast on Spotify, Google Podcasts, Apple Podcasts, or PodBean. And if you like what you hear, subscribe for more.

Products You May Like

Articles You May Like

Signal Foundation Warns Against EU’s Plan to Scan Private Messages for CSAM
Synnovis Attackers Publish NHS Patient Data Online
Quishing Campaign Targets Chinese Citizens via Fake Official Documents
Hacktivism is evolving – and that could be bad news for organizations everywhere
LockBit Most Prominent Ransomware Actor in May 2024

Leave a Reply

Your email address will not be published. Required fields are marked *