Subj : Microsoft gives tips on spotting this undetectable malware
To   : All
From : TechnologyDaily
Date : Thu Apr 13 2023 12:15:03

Microsoft gives tips on spotting this undetectable malware

Date:
Thu, 13 Apr 2023 11:00:19 +0000

Description:
The BlackLotus UEFI bootkit might be dangerous and stealthy, but Microsoft 
shows there are ways to find and remove it.

FULL STORY
======================================================================

Microsoft shows there are ways IT teams can detect an invisible and 
stubbornly persistent piece of malware called BlackLotus, as the Redmond 
giant publishes detailed guidance on defending against the UEFI bootkit. 

BlackLotus is a sophisticated malware variant that targets the Unified 
Extensible Firmware Interface, or UEFI, that boots up pretty much every 
component of todays computers. 

As it runs before the computers operating system, placing the malware here 
means it can disable antivirus protections or even remain operational while 
security solutions are up and running. It also means that the malware will 
remain on the device even after the operating system is reinstalled - and 
even if the victim replaces the hard drive. Spotting the malware 

Threat actors usually look to deploy BlackLotus by leveraging a vulnerability 
tracked as CVE-2022-21894. The malware is on sale on the dark forums, going 
for roughly $5,000, BleepingComputer reports. Rebuilds are available for 
roughly $200. 

All of this makes it very hard to detect and remove. However, with Microsofts 
guidance, it should be somewhat easier. As per the report, analyzing these 
artifacts can help determine if your system has been infected with the 
BlackLotus UEFI bootkit: Read more 

> 'Near-undetectable' hacking tool up for sale on malware forum 


 > A new dangerous malware is turning Windows and Linux devices into DDoS 
tools 


 > Here's our list of the best endpoint protection tools Recently created and 
locked bootloader files Presence of a staging directory used during the 
BlackLotus install in the EPS:/ filesystem Registry key modification for the 
Hypervisor-protected Code Integrity (HVCI) Network logs Boot configuration 
logs Boot partition artifacts 

To clean a device from a BlackLotus compromise, one must remove it from the 
network, and reinstall it with a clean operating system and EFI partition, 
the researchers instruct. Alternatively, they can restore it from a clean 
backup with an EFI partition. 

Its also worth mentioning that threat actors need to leverage a specific 
vulnerability - CVE-2022-21894 - to deploy BlackLotus. Having a patch 
installed which addresses this vulnerability can also help protect the device 
from future infections. 

Finally, as the company says: Avoid the use of domain-wide, admin-level 
service accounts. Restricting local administrative privileges can help limit 
installation of remote access trojans (RATs) and other unwanted applications. 
Check out the best firewalls right now 

Via: BleepingComputer



======================================================================
Link to news story:
https://www.techradar.com/news/microsoft-gives-tips-on-spotting-this-undetecta
ble-malware


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.