#ESETResearch analyze first in-the-wild UEFI bootkit bypassing UEFI Secure Boot even on fully updated Windows 11 systems. Its functionality indicates it is the #BlackLotus UEFI bootkit, for sale on hacking forums since at least Oct 6, 2022. @smolar_mwelivesecurity.com/2023/03/01/bla… 1/11
BlackLotus brings legit but vulnerable binaries to the victim’s system (#BYOVD) to exploit #CVE-2022-21894 and bypass UEFI Secure Boot on up-to-date Windows systems. In some samples, these binaries are downloaded directly from the MS Symbol Store. cve.mitre.org/cgi-bin/cvenam… 2/11
Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible by bringing vulnerable drivers to the system, as the affected binaries have still not been added to the UEFI revocation list. msrc.microsoft.com/update-guide/e… 3/11
After exploitation, the bootkit’s persistence is set up by: 1. Enrolling attacker’s own self-signed public key certificate (MOK key) to the MokList NVRAM variable. 2. By using legitimate Microsoft-signed shim to load the bootkit - a UEFI app signed by that enrolled key. 4/11
Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit against removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads. 5/11
The following files – deployed to the \EFI\Microsoft\Boot folder on EFI System partition by the BlackLotus installer – are protected against removal by the BlackLotus kernel driver: winload.efi, grubx64.efi and bootmgfw.efi. 6/11
Additionally, BlackLotus can disable built-in Windows security protections such as Hypervisor-protected Code Integrity (HVCI), BitLocker, Windows Defender, and bypass User Account Control (UAC). 7/11
Interestingly, the code decrypts but never uses various strings – including a message for the well-known security researcher @hasherezade, or just some random quotes – e.g, from the @UnderTale RPG game. 8/11
Although we believe this is the BlackLotus bootkit, we found no reference to that name in the samples we analyzed. Instead, some of the bootkit’s components’ names and self-signed certificate refer to the Higurashi When They Cry anime series. en.wikipedia.org/wiki/Higurashi… 9/11
For more technical details about the BlackLotus UEFI bootkit, CVE-2022-21894 exploitation, and BlackLotus mitigation tips, read our blogpost: BlackLotus UEFI bootkit: Myth confirmed. welivesecurity.com/2023/03/01/bla… 10/11
#ESETresearch identified two GREF campaigns targeting #Android users with @signalapp and @telegram apps trojanized into cyberespionage tools .
@LukasStefanko
Signal Plus Messenger and FlyGram were built by merging the BadBazaar espionage code, previously used to target #Uyghurs and other #Turkic minorities, into the respective base app’s code. 2/9
The purpose of both apps is data exfiltration. Signal Plus Messenger presents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device. 3/9
#ESETResearch warns about a CPIO archive named “Jump Crypto Investment ” uploaded to VirusTotal from the USA 🇺🇸. It is another malicious PDF viewer distributed by #Lazarus #APT for #macOS @pkalnai @michalmalik 1/7 Agreement.zip
@pkalnai @michalmalik The archive contains a fully functional – but malicious – PDF viewer, and a crafted “locked” PDF file. When the file is opened in the viewer, the malicious code is triggered. The functionality is very similar to the malware reported by @JamfSoftware. 2/7 jamf.com/blog/bluenorof…
@pkalnai @michalmalik @JamfSoftware First, the malicious PDF viewer decrypts a decoy document embedded inside the original PDF file, and displays it to the target. 3/7
#ESETResearch confirms Lazarus is linked to the recent #3CX supply-chain attacks. Based on code similarities and network infrastructure, we connect the 3CX incident with a Linux case of DreamJob, a long-term Lazarus operation using job offer as lures. 1/6 welivesecurity.com/2023/04/20/lin…
First, let’s look at the timeline. It shows that the trojanized macOS version of the 3CX Desktop App was ready two months prior to the distribution of the Windows version. Also interesting is that the attack was in preparation as early as December 2022. 2/6
It was reported that Mandiant has found Mac malware they call SIMPLESEA inside the 3CX network. While we do not have the sample, their description of this malware overlaps with second-stage Linux malware we found while investigating a recent Operation DreamJob case. 3/6
#ESETResearch discovered an attack by APT group Tick against a data-loss prevention (DLP) company in East Asia and found a previously unreported tool used by the group. welivesecurity.com/2023/03/14/slo…@0xfmz 1/6
In 2021, in the DLP company’s network, the attackers introduced trojanized installers of the legitimate application Q-dir, part of a toolkit used by the company. When executed, the installer dropped the open-source ReVBShell backdoor and ran the original Q-dir application. 2/6
Subsequently, in 2022, on customers of the DLP company’s software, the trojanized Q-dir installers were deployed using remote support tools. Our hypothesis is that this occurred while the DLP company provided technical support to their customers. 3/6
#ESETResearch analyzed a new #MustangPanda backdoor. Its C&C communications is done over #MQTT using the open-source QMQTT library, so we named it MQsTTang. This library depends on parts of the Qt framework, statically linked in the PE. welivesecurity.com/2023/03/02/mqs… 1/5
A sample of MQsTTang was identified by @Unit42_Intel on 2023-02-17. As stated in that thread, the backdoor uses the legitimate MQTT broker 3.228.54.173. This has the benefit of hiding their actual C&C servers from victims and analysts.
While #infostealer detections trended downwards in 2022, decreasing by 10% in #ESET telemetry, #banking malware doubled in numbers YoY. #ESETresearch 1/4
This phenomenon was caused by the prevalence of the web skimmer JS/Spy.Banker, also known as #Magecart. Throughout the year, it consistently accounted for about three-fourths of banking malware detections. It was also the third most detected infostealer overall in T3 2022. 2/4
Despite its prevalence, Magecart wasn’t the only banking malware to stand out this time: LATAM banking trojans had a strong end of the year; the detections of #Grandoreiro, #Casbaneiro, #Mekotio, and several others spiked significantly in T3. 3/4