|
|
|
|
|
|
by shakna
1201 days ago
|
|
|
> At this point, we have not been able to identify, from our telemetry, the exact distribution channel used to deploy the bootkit to victims. The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet. [0] Right now, we don't know how it gets its way to the target. But, we do know that it comes in the form of an installer, which then requires a system reboot to enable persistence, and then another reboot to do its actual job. > In all subsequent boots, the self-signed UEFI bootkit is executed and deploys both its kernel driver and user-mode payload, the HTTP downloader. Together, these components are able to download and execute additional user-mode and driver components from the C&C server and protect the bootkit against removal [0] https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bo... |
|
|