October 11, 2024

Microsoft gives tips on spotting this undetectable malware

April 13, 2023 0

 

Microsoft shows there are ways IT teams can detect an “invisible” and stubbornly persistent piece of malware called BlackLotus, as the Redmond giant publishes detailed guidance on defending against the UEFI bootkit.

BlackLotus is a sophisticated malware variant that targets the Unified Extensible Firmware Interface, or UEFI, that boots up pretty much every component of today’s computers. 

As it runs before the computer’s operating system, placing the malware here means it can disable antivirus protections or even remain operational while security solutions are up and running. It also means that the malware will remain on the device even after the operating system is reinstalled – and even if the victim replaces the hard drive.

Spotting the malware

Threat actors usually look to deploy BlackLotus by leveraging a vulnerability tracked as CVE-2022-21894. The malware is on sale on the dark forums, going for roughly $5,000, BleepingComputer reports. Rebuilds are available for roughly $200.

All of this makes it very hard to detect and remove. However, with Microsoft’s guidance, it should be somewhat easier. As per the report, analyzing these artifacts can help determine if your system has been infected with the BlackLotus UEFI bootkit:

Read more

> ‘Near-undetectable’ hacking tool up for sale on malware forum

> A new dangerous malware is turning Windows and Linux devices into DDoS tools

> Here’s our list of the best endpoint protection tools

Recently created and locked bootloader filesPresence of a staging directory used during the BlackLotus install in the EPS:/ filesystemRegistry key modification for the Hypervisor-protected Code Integrity (HVCI)Network logsBoot configuration logsBoot partition artifacts

To clean a device from a BlackLotus compromise, one must remove it from the network, and reinstall it with a clean operating system and EFI partition, the researchers instruct. Alternatively, they can restore it from a clean backup with an EFI partition.

It’s also worth mentioning that threat actors need to leverage a specific vulnerability – CVE-2022-21894 – to deploy BlackLotus. Having a patch installed which addresses this vulnerability can also help protect the device from future infections. 

Finally, as the company says: “Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access trojans (RATs) and other unwanted applications”.

Check out the best firewalls right now

Via: BleepingComputer

 

More Stories

Win an Apple Watch Series 10 and Nylon Band From Southern Straps

Win an Apple Watch Series 10 and Nylon Band From Southern Straps

October 11, 2024 0
Why I never get invested in Netflix shows

Why I never get invested in Netflix shows

October 11, 2024 0
Review: ZUGU’s iPad Pro Case Seamlessly Combines Functionality With Protection

Review: ZUGU’s iPad Pro Case Seamlessly Combines Functionality With Protection

October 11, 2024 0

You may have missed

Win an Apple Watch Series 10 and Nylon Band From Southern Straps

Win an Apple Watch Series 10 and Nylon Band From Southern Straps

October 11, 2024 0
Why I never get invested in Netflix shows

Why I never get invested in Netflix shows

October 11, 2024 0
Review: ZUGU’s iPad Pro Case Seamlessly Combines Functionality With Protection

Review: ZUGU’s iPad Pro Case Seamlessly Combines Functionality With Protection

October 11, 2024 0
Apple’s 16-Year-Old SuperDrive Now Out of Stock Worldwide, Likely Discontinued

Apple’s 16-Year-Old SuperDrive Now Out of Stock Worldwide, Likely Discontinued

October 11, 2024 0
The Best Prime Day Deals You Can Still Get on AirPods, Apple Watch, iPad, and More

The Best Prime Day Deals You Can Still Get on AirPods, Apple Watch, iPad, and More

October 11, 2024 0