Microsoft gives tips on spotting this undetectable malware

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Microsoft shows there are ways IT teams can detect an “invisible” and stubbornly persistent piece of malware called BlackLotus, as the Redmond giant publishes detailed guidance on defending against the UEFI bootkit.

BlackLotus is a sophisticated malware variant that targets the Unified Extensible Firmware Interface, or UEFI, that boots up pretty much every component of today’s computers. 

As it runs before the computer’s operating system, placing the malware here means it can disable antivirus protections or even remain operational while security solutions are up and running. It also means that the malware will remain on the device even after the operating system is reinstalled - and even if the victim replaces the hard drive.

Spotting the malware

Threat actors usually look to deploy BlackLotus by leveraging a vulnerability tracked as CVE-2022-21894. The malware is on sale on the dark forums, going for roughly $5,000, BleepingComputer reports. Rebuilds are available for roughly $200.

All of this makes it very hard to detect and remove. However, with Microsoft’s guidance, it should be somewhat easier. As per the report, analyzing these artifacts can help determine if your system has been infected with the BlackLotus UEFI bootkit:

  • Recently created and locked bootloader files
  • Presence of a staging directory used during the BlackLotus install in the EPS:/ filesystem
  • Registry key modification for the Hypervisor-protected Code Integrity (HVCI)
  • Network logs
  • Boot configuration logs
  • Boot partition artifacts

To clean a device from a BlackLotus compromise, one must remove it from the network, and reinstall it with a clean operating system and EFI partition, the researchers instruct. Alternatively, they can restore it from a clean backup with an EFI partition.

It’s also worth mentioning that threat actors need to leverage a specific vulnerability - CVE-2022-21894 - to deploy BlackLotus. Having a patch installed which addresses this vulnerability can also help protect the device from future infections. 

Finally, as the company says: “Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access trojans (RATs) and other unwanted applications”.

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
New UEFI Secure Boot flaw exposes systems to bootkits
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
An American flag flying outside the US Capitol building against a blue sky
US military and defense contractors hit with Infostealer malware
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI