Effective Strategies for Recovery and Prevention of BlackLotus

Microsoft’s Security Blog has issued a critical guide to assist organizations in assessing potential compromise by threat actors exploiting CVE-2022-21894 through a dangerous Unified Extensible Firmware Interface (UEFI) bootkit known as “BlackLotus.” This UEFI bootkit operates during computer startup, before the loading of the operating system, enabling it to tamper with or deactivate security mechanisms like BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus. While these actions can hinder cybersecurity efforts, certain key artifacts and clues can help identify affected devices. The document details techniques for determining infection and provides valuable recovery and prevention strategies.

The use of the BlackLotus bootkit is primarily a means of persistence and defense evasion for threat actors. It is not an initial payload but is deployed to a device that has already been compromised by an attacker with privileged or physical access. Leveraging CVE-2022-21894 (also known as “Baton Drop”), BlackLotus bypasses Windows Secure Boot and deploys malicious files to the EFI System Partition (ESP), allowing it to achieve persistence, deactivate HVCI, disable BitLocker, and turn off Microsoft Defender Antivirus.

To effectively detect and respond to BlackLotus attacks, organizations must be able to locate specific infection clues and artifacts:

1. Locating BlackLotus Infection Clues:

• UEFI Boot Partition: The BlackLotus UEFI bootkit deploys malicious files to the EFI System Partition (ESP), where they are launched by the UEFI firmware. The bootkit achieves persistence by enrolling the threat actor’s Machine Owner Key (MOK) and can deactivate HVCI, disable BitLocker, and turn off Microsoft Defender Antivirus. To locate BlackLotus infection clues, threat hunters should examine the ESP for recently modified and locked bootloader files matching known BlackLotus filenames.
• Staging Directory Presence: During the installation process, BlackLotus creates a custom directory under ESP:/system32/. While the files within this directory are deleted after successful installation, the directory itself is not. Forensic analysis of the ESP may reveal the historical presence of files previously contained in this directory.

2. Boot Partition Artifacts:

• Bootloader Files: BlackLotus writes malicious bootloader files to the ESP and subsequently locks them to protect them from deletion or tampering. Threat hunters can mount the boot partition (using the “mountvol” command-line utility, for example) to examine the creation dates of files within. Files with mismatched creation times or names matching those protected by the BlackLotus kernel driver (e.g., ESP:\EFI\Microsoft\Boot\winload.efi) should be considered suspicious.
• Locked Bootloader Files: BlackLotus locks certain bootloader files to protect them. Any attempt to access these files will generate an ERROR_SHARING_VIOLATION error with the message “The process cannot access the file because it is being used by another process.” Files in the ESP that return this error should be considered highly suspicious.

3. Registry, Logs, and Network Clues:

• Registry Modification: To turn off HVCI, the installer modifies the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity by setting the value “Enabled” to “0.” Threat hunters should examine the environment for this registry key modification.
• Event Log Entries: BlackLotus disables Microsoft Defender Antivirus by patching its drivers and stripping the main process’s privileges. This behavior may produce entries in the Microsoft-Windows-Windows Defender/Operational log in Windows Event Logs, indicating that real-time protection has stopped. Additionally, the unexpected termination of the Microsoft Defender Antivirus service may produce an Event ID 7023 in the System event log.
• Network Logging: Outbound network connections from “winlogon.exe,” particularly to port 80, are suspicious. This may result from the injected HTTP downloader function of BlackLotus connecting to a command-and-control (C2) server or performing network configuration discovery.

To minimize the risk of BlackLotus infections, organizations should follow these best practices:

1. Adhere to the Principle of Least Privilege: Limit user access to the minimum required for job functions. Avoid using domain-wide administrative accounts and maintain proper credential hygiene. By restricting local admin privileges, organizations can reduce the risk of remote access trojans (RATs) and unauthorized applications.
2. Implement Defense-in-Depth Strategies: Preventing BlackLotus deployment requires a multi-layered approach, including detecting and preventing threats at different stages of a potential attack:
   • Monitor for initial access attempts, such as phishing or perimeter device compromise.
   • Detect compromise of user or service account credentials.
   • Identify lateral movement using unauthorized accounts or remote access software.
   • Detect escalation to domain or local administrative privileges.
   • Monitor for the creation of malicious files, including BlackLotus installers or EFI files.
3. Update Antimalware Products: Keep antimalware software current to detect emerging threats. For Microsoft Defender Antivirus users, enabling automatic updates provides protection. Enterprise customers should deploy detection build 383.1029.0 or newer across their environments.