GitHub

BlackLotus Project Description

What is the project about?

BlackLotus is a sophisticated UEFI bootkit designed for Windows systems. It acts as an HTTP loader, establishing a persistent presence on infected devices.

What problem does it solve?

It provides a highly persistent and stealthy method for maintaining unauthorized access to a compromised system. It bypasses many standard security measures, making it difficult to detect and remove. It essentially solves the problem of maintaining access, even after reboots and typical antivirus scans.

What are the features of the project?

  • HVCI bypass: Bypasses Hypervisor-protected Code Integrity.
  • UAC bypass: Bypasses User Account Control.
  • Secure Boot bypass: Circumvents Secure Boot protections.
  • BitLocker boot sequence bypass: Bypasses BitLocker's boot sequence checks.
  • Windows Defender bypass: Disables Windows Defender by patching its drivers in memory.
  • Dynamic hashed API calls (hell's gate): Makes it harder to analyze the bootkit's behavior.
  • x86<=>x64 process injection: Allows injecting code into both 32-bit and 64-bit processes.
  • API Hooking engine: Allows intercepting and modifying API calls.
  • Anti-Hooking engine: Disables, bypasses, and controls Endpoint Detection and Response (EDR) systems.
  • Modular plugin system: Allows for extending functionality.
  • Small size: The compiled binary is only 80KB.
  • Secure HTTPS C2 communication: Uses RSA and AES encryption for communication with the command and control server.
  • Dynamic configuration: Allows for flexible configuration.

What are the technologies used in the project?

  • C: Primary programming language.
  • x86asm: Assembly language for low-level operations.
  • Windows API: Windows Application Programming Interface.
  • NTAPI: Native API.
  • EFIAPI: Extensible Firmware Interface API.
  • RSA and AES encryption: For secure communication.
  • EDK2: Used for compiling the EFI drivers.
  • Visual Studio: IDE.

What are the benefits of the project?

From the attacker's perspective (this is a malicious tool):

  • High persistence: Resides in the UEFI firmware, making it survive OS reinstalls.
  • Stealth: Bypasses common security measures, making it difficult to detect.
  • Control: Provides a powerful platform for executing malicious code and maintaining access.
  • Extensibility: The modular plugin system allows for adding new capabilities.

What are the use cases of the project?

  • Cyber espionage: Maintaining long-term, undetected access to target systems.
  • Data exfiltration: Stealing sensitive information.
  • System sabotage: Disrupting or damaging target systems.
  • Advanced Persistent Threat (APT) campaigns: Used as a component in sophisticated, long-term attacks.
  • Botnet Creation: Creating a network of infected machines.
BlackLotus screenshot