Microsoft posts guide for Windows Secure Boot, Defender, VBS, BitLocker-bypassing BlackLotus

Screenshot 2023-04-13 15.58.25.jpg

Last month, WeLiveSecurity, the security research wing of ESET anti-malware solutions, released its report on the BlackLotus security vulnerability.

If you aren't aware, BlackLotus is a UEFI bootkit, and what makes this malware particularly dangerous is its ability to bypass Secure Boot systems even on updated Windows 11 systems. Besides that, BlackLotus also makes modifications to the registry to disable Hypervisor-protected Code Integrity (HVCI), which is a Virtualization-based Security (VBS) feature; as well as BitLocker encryption. It also disables Windows Defender by manipulating the Early Launch Anti-Malware (ELAM) driver and Windows Defender file system filter driver. The ultimate purpose is to deploy an HTTP downloader which delivers the malicious payloads.

Although the security vulnerability dubbed "Baton Drop" (CVE-2022-21894) was patched a year ago, it is still exploited as signed binaries have not yet been added to the UEFI revocation list. In a recently published guidance, Microsoft has summarized the malicious activities BlackLotus does after it has managed to infest:


In its guidance, the tech giant has covered, in detail, the techniques to determine if the devices in an organization are infected, as well as recovery and prevention strategies. You can read it on Microsoft's official website.