BlackLotus Malware Evades Detection


BlackLotus is a piece of malware that is reportedly up for sale on the dark web. The malware has unusually impressive capabilities that make it seem more like a tool that a state-sponsored threat actor would use, and not something you will see on the rig of a script kiddie.

According to the advertisement put up on a hacking forum on the dark web, BlackLotus is a UEFI bootkit. This means that the malware operates on a very low system level, inserting itself before the system boots up properly and before the OS is loaded.

BlackLotus can reportedly implant itself within the system's firmware components, effectively making it part of the system, and helping it stay hidden from the vast majority of antivirus software that is commonly loaded after the system kernel.

BlackLotus is sold as a one-time purchase for the sum of $5000. The malware's authors claim that their tool achieves Ring 0 or essentially kernel-level access. Assuming this is true, BlackLotus will be both incredibly difficult to detect and nearly impossible to get rid of and clean.

The authors further boast that their tool can shut off Windows Defender and includes anti-debugging capabilities to stop malware scanners from picking up its presence once deployed.

October 24, 2022