#ESETResearch analyze first in-the-wild UEFI bootkit bypassing UEFI Secure Boot even on fully updated Windows 11 systems. Its functionality indicates it is the #BlackLotus UEFI bootkit, for sale on hacking forums since at least Oct 6, 2022. @smolar_mwelivesecurity.com/2023/03/01/bla… 1/11
BlackLotus brings legit but vulnerable binaries to the victim’s system (#BYOVD) to exploit #CVE-2022-21894 and bypass UEFI Secure Boot on up-to-date Windows systems. In some samples, these binaries are downloaded directly from the MS Symbol Store. cve.mitre.org/cgi-bin/cvenam… 2/11
Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible by bringing vulnerable drivers to the system, as the affected binaries have still not been added to the UEFI revocation list. msrc.microsoft.com/update-guide/e… 3/11
After exploitation, the bootkit’s persistence is set up by: 1. Enrolling attacker’s own self-signed public key certificate (MOK key) to the MokList NVRAM variable. 2. By using legitimate Microsoft-signed shim to load the bootkit - a UEFI app signed by that enrolled key. 4/11
Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit against removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads. 5/11
The following files – deployed to the \EFI\Microsoft\Boot folder on EFI System partition by the BlackLotus installer – are protected against removal by the BlackLotus kernel driver: winload.efi, grubx64.efi and bootmgfw.efi. 6/11
Additionally, BlackLotus can disable built-in Windows security protections such as Hypervisor-protected Code Integrity (HVCI), BitLocker, Windows Defender, and bypass User Account Control (UAC). 7/11
Interestingly, the code decrypts but never uses various strings – including a message for the well-known security researcher @hasherezade, or just some random quotes – e.g, from the @UnderTale RPG game. 8/11
Although we believe this is the BlackLotus bootkit, we found no reference to that name in the samples we analyzed. Instead, some of the bootkit’s components’ names and self-signed certificate refer to the Higurashi When They Cry anime series. en.wikipedia.org/wiki/Higurashi… 9/11
For more technical details about the BlackLotus UEFI bootkit, CVE-2022-21894 exploitation, and BlackLotus mitigation tips, read our blogpost: BlackLotus UEFI bootkit: Myth confirmed. welivesecurity.com/2023/03/01/bla… 10/11
#ESETResearch analyzed a new #MustangPanda backdoor. Its C&C communications is done over #MQTT using the open-source QMQTT library, so we named it MQsTTang. This library depends on parts of the Qt framework, statically linked in the PE. welivesecurity.com/2023/03/02/mqs… 1/5
A sample of MQsTTang was identified by @Unit42_Intel on 2023-02-17. As stated in that thread, the backdoor uses the legitimate MQTT broker 3.228.54.173. This has the benefit of hiding their actual C&C servers from victims and analysts.
While #infostealer detections trended downwards in 2022, decreasing by 10% in #ESET telemetry, #banking malware doubled in numbers YoY. #ESETresearch 1/4
This phenomenon was caused by the prevalence of the web skimmer JS/Spy.Banker, also known as #Magecart. Throughout the year, it consistently accounted for about three-fourths of banking malware detections. It was also the third most detected infostealer overall in T3 2022. 2/4
Despite its prevalence, Magecart wasn’t the only banking malware to stand out this time: LATAM banking trojans had a strong end of the year; the detections of #Grandoreiro, #Casbaneiro, #Mekotio, and several others spiked significantly in T3. 3/4
👏 Proofpoint for this blogpost on #TA866. @ESETResearch have been tracking this group for a while and we assess with medium confidence that TA866 and #AsylumAmbuscade are the same group. 1/4
In their February 2022 espionage campaign, attackers delivered a LUA downloader that installed #AHKBOT / #SunSeed AutoHotkey, the same implant used in recent crimeware campaigns. 2/5
Targets included several European Ministries of Foreign Affairs and other organizations related to the Russia-Ukraine war. 3/5 proofpoint.com/us/blog/threat…
#ESETesearch discovered Dolphin, a sophisticated backdoor extending the arsenal of the #ScarCruft APT group. Dolphin has a wide range of spying capabilities and is deployed on selected targets only. welivesecurity.com/2022/11/30/who… 1/6
The backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named BLUELIGHT, previously reported by Volexity and Kaspersky. 2/6
While BLUELIGHT performs basic reconnaissance, Dolphin actively searches the drives of compromised systems for files of interest and exfiltrates them to Google Drive. Its other capabilities include keylogging, taking screenshots and stealing credentials from browsers. 3/6
#ESETResearch discovered an ongoing Android RAT campaign that uses #FIFAWorldCup in Qatar🇶🇦 as a lure and already infected over 750 devices. It spreads via Facebook page linking to a website distributing the RAT. Downloaded RAT also offers World Cup news and live broadcasts 1/4
The RAT has extensive capabilities like exfiltrating SMS, call logs, contact list, photos, clipboard, files with particular extensions, record phone calls, take pictures, etc. Exfiltrated data is encrypted and uploaded to attacker’s server. 2/4
IoCs:
Distribution website: kora442[.]com
C&C server: firebasecrashanalyticz[.]com
APK hash: 60B1DA6905857073C4C46E7E964699D9C7A74EC7
ESET detection: Android/Spy.Agent.BOC 3/4
On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9
@_CERT_UA Its authors make multiple references to Monsters, Inc., the 2001 movie by Pixar. The ransom note (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the main character of the movie, whose job is to scare kids. 2/9
@_CERT_UA The executable file is also named Sullivan.<version?>.exe and references are present in the code as well. 3/9