July 13, 2023 By Ionut Arghire
The source code for the BlackLotus UEFI bootkit has been shared publicly on GitHub, albeit with several modifications compared to the original malware.
Designed specifically for Windows, the bootkit emerged on hacker forums in October last year, being advertised with APT-level capabilities such as secure boot and user access control (UAC) bypass and the ability to disable security applications and defense mechanisms on victim systems.
Able to persist in the firmware, BlackLotus can be used to load unsigned drivers, and has been observed exploiting CVE-2022-21894, a year-old vulnerability in Windows, to disable secure boot even on fully patched systems.
