BlackLotus malware bypasses Windows Secure Boot: Tips to maximize security

Aiden Ramirez

Mar 14, 2023

9 min read

I was having my regular morning coffee when I heard the news that a stealthy malware capable of compromising the Windows Secure Boot feature is out there now. The Secure Boot feature is considered a formidable fortress for Windows-operated systems, designed to protect against boot-time malware and other threats. Hence, the emergence of a malware that can bypass Windows Secure Boot and hijack a computer’s boot process is definitely a cause for concern.

It was the researchers from ESET, a Slovak cybersecurity company that announced the first-ever instance of malware that can bypass Secure Boot and other advanced protections in even the fully updated versions of Windows. The malware, called BlackLotus, is essentially a UEFI(Unified Extensible Firmware Interface) bootkit. For starters, a UEFI bootkit is something that is capable of infecting a computer with shadowy malware that runs in the user mode or kernel mode. It is also capable of disabling the security mechanisms of the operating system. However, is there something we can do to ensure our computer systems don’t fall prey to such malware? Yes. The good news is, there are a few steps you can take to maximize the security of our computer systems.

Stay ahead of the security game with Hexnode

Before we jump directly into all that, let’s take a closer look at the elephant (or elephants) in the room- Windows Secure Boot, and BlackLotus malware.

Secure Boot: An impenetrable barrier or a false sense of security?

The Secure Boot feature is an addition given to Microsoft Windows versions 8 and above. This security standard helps to ensure that a device boots using only Original Equipment Manufacturer (OEM) trusted software. This protocol prevents malicious rootkits and bootkits from being run at computer start-up. Only the software which is digitally signed and certified can only pass through Secure Boot. Think of it as a security guard, who only lets authorized individuals into the building by checking their ID cards.

Moreover, the Secure Boot protocol lies within UEFI BIOS. It is the first thing to run when you turn on your computer. This attribute makes it a favorable target for attackers, who aim to control the security mechanisms of an operating system.

Although there haven’t been any declarations stating exploits in Secure Boot until now, researchers had found multiple vulnerabilities surrounding the same. One of the latest and most popular ones was termed Baton Drop, which surfaced in August 2022. This vulnerability can be exploited to remove Secure Boot functions from the boot sequence. So, to answer the question, Secure Boot is not totally impenetrable to all attacks.

Unified Extensible Firmware Interface

Unified Extensible Firmware Interface (UEFI), like BIOS (Basic Input Output System), connects a computer’s firmware to its operating system. Secure Boot, as we discussed earlier, is a security protocol within UEFI. This modern solution is expected to replace BIOS, as it offers enhanced performance and security.

During the Power-On Self-Test (POST), UEFI scans all the EFI system partitions (ESP) to find one to boot from. Once it finds the right partition, it directly loads the operating system. If it fails to find one, it goes back to the traditional ‘legacy boot’ procedure.

The mechanics behind BlackLotus UEFI bootkit

The  BlackLotus bootkit capitalizes on the vulnerability CVE-2022-21894 (Baton Drop) which gives the attacker control over the early phase of system start-up. It has the capability of installing itself onto the EFI System Partition (ESP) of the victim device. ESP is a partition on the hard drive that is used to store the bootloader and other files that are required for booting the operating system.

Once the installer finishes deploying all the files to the ESP, it then disables HVCI (Hypervisor-protected Code Integrity – a security feature that protects against code injection and other types of kernel-level attacks), and BitLocker and reboots the device. After completing these two steps, the installer can disable the Secure Boot feature and tamper with the boot process.

Although Microsoft patched the CVE-2022-21894 vulnerability in January 2022, they haven’t yet added the vulnerable signed binaries to the UEFI revocation list. This can be justified since there are hundreds of vulnerable bootloaders that remain in use today. Revoking them will cause millions of computers to stop working, which can be even more disastrous.

When compared to other forms of exploit, such as firmware implant (where the implant is done directly into the UEFI firmware and not on the ESP), a UEFI bootkit lets the attacker deploy the malware easily. This is because of the absence of BIOS Write Enable, BIOS Lock Enable, and SPI Protected Ranges in the ESP. The only security measure against a UEFI bootkit is Secure Boot. However, with the recently discovered vulnerabilities, the efficacy of Secure Boot is questionable.

BlackLotus malware: what more can it do?

Apart from disabling Windows Secure Boot, BlackLotus malware can also be used to obtain keys for BitLocker. This puts you at risk of losing your data to unwanted personnel in the event of device theft. BlackLotus is also capable of disabling Windows Defender, which is a key security feature in Windows.

BlackLotus malware is also capable of gaining persistence within the system, meaning it begins execution each time you start the device. It does this by registering its own Machine Owner Key (MOK) within the NVRAM. By doing this, it can use a shim loader, which is signed by various Linux distributors, for loading its UEFI bootkit (signed by the MOK) to persist on the firmware rather than having to exploit the vulnerability in every boot.

Once fully installed, the bootkit deploys a custom kernel driver that makes the bootkit irremovable from the ESP. It also installs an HTTP downloader that communicates with the command-and-control (C&C) server operated by the attacker and can execute payloads received from the C&C.

Hunting for weaknesses

Although BlackLotus malware is a nearly undetectable malware having kernel-level access, it is not invincible. The Achilles heel of BlackLotus, as you may call it, is the requirement of having administrator system rights. Its installer requires admin privileges to deploy the rest of the files to the ESP and bypass the security hurdles.

Threat actors will have at least a few tricks up their sleeves to gain admin rights in a system. The priority of IT admins should be to prevent any attempts by threat actors to gain admin privileges.

Featured resource

Cybersecurity kit

This resource kit will help your company adopt the right cybersecurity strategy to secure your business.


The popular ways in which hackers attempt to gain admin rights are by exploiting other vulnerabilities in the operating system or apps, or by installing malware into the system by tricking the user. Other than these, there are more sneaky ways such as obtaining remote access to the system. Attackers gain remote access by exploiting vulnerabilities in remote desktop protocols or VPN software.

Manually ensuring that there are no pending security updates or harmful malware in any of the devices is not easy. This highlights the significance of having a more robust and automated security infrastructure in your organization.

Tips to unlock maximum security with Hexnode

Increasing security against a critical UEFI bootkit such as BlackLotus eventually comes down to preventing the admin credentials from falling into the wrong hands. You will have to nip the problem in the bud before it gets rampant. The most effective way to do this is by equipping your devices with a UEM solution like Hexnode. If you are not very familiar with what these solutions do, let me break them down for you. Here are some reasons why an attacker trying to gain admin rights will have a hard time dealing with a system equipped with Hexnode.

Enforcing password restrictions

You can enforce strong password restrictions on your devices with Hexnode. You surely don’t want your employees to have passwords such as ‘qwerty’ and ‘123456’. This puts a check on password-cracking attacks such as brute force attacks.

Custom app catalog

As explained above, social engineering attacks which include tricking the admin user to install malware onto the system is one of the favorite techniques of threat actors. However, if all the required applications are already available on the device, the end user wouldn’t even have to look for other sources to install the necessary applications. Through Hexnode’s app catalog feature, you can set up a custom app store in your end-user devices. This will enable the users to install the required applications anytime they want.

Blacklisting and whitelisting

Attackers may try to infiltrate your system by exploiting the vulnerabilities in the apps already installed by the admin. You can counter this in two ways. The first one is to test the app to its core for any vulnerabilities before deploying it to the devices. Secondly, you can use the blacklisting and whitelisting features available in Hexnode to restrict risky apps and allow only company-approved apps on your device.

Application whitelisting: The perfect middle-ground between security and productivity

Enhancing network security

Simply put, network security measures are shields against attackers gaining remote access to your systems. Through Hexnode’s custom script feature, you can configure inbound rules in Firewall remotely. you can configure Firewall rules to allow or block specific types of network traffic based on the source IP address, destination IP address, protocol, port number, and other parameters. By configuring firewall rules to block all incoming traffic except for specific trusted sources, you can reduce the risk of unauthorized remote access by attackers.

Keeping your systems updated

Microsoft publishes security patches now and then whenever they find any vulnerabilities in the operating system. Hence, making sure your systems are up to date with the latest OS versions is necessary to stay away from unwanted threats. Hexnode lets you have the flexibility of installing OS updates remotely by pushing the respective custom scripts. You can browse our script repository for a comprehensive collection of custom scripts that will fulfill all your requirements.

The final question- will the future be secure?

Attackers are finding more and more ways to cripple your systems. BlackLotus malware is just one among the long list of cyber threats that we can expect in the future. So, is the future secure? Yes, if you surround yourself with tools that protect you from unrelenting cyber threats. With Hexnode’s intelligent security suite, you can rest assured that you won’t miss a beat when it comes to ensuring your organization’s security.

Aiden Ramirez

Product Evangelist @ Hexnode. Hey Ferb, I know what we're gonna do today!

Share your thoughts