SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blacklotus (Back to overview)

BlackLotus


There is no description at this point.

References
2023-05-29kn0s-organization
@online{kn0sorganization:20230529:blacklotus:a73a7a0, author = {kn0s-organization}, title = {{BlackLotus stage 2 bootkit-rootkit analysis}}, date = {2023-05-29}, url = {https://kn0s-organization.gitbook.io/blacklotus-analysis-stage2-bootkit-rootkit-stage/}, language = {English}, urldate = {2023-06-05} } BlackLotus stage 2 bootkit-rootkit analysis
BlackLotus
2023-04-11MicrosoftMicrosoft Incident Response
@online{response:20230411:guidance:ddf000c, author = {Microsoft Incident Response}, title = {{Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign}}, date = {2023-04-11}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/}, language = {English}, urldate = {2023-04-18} } Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
BlackLotus
2023-03-09binarlyAleksandr Matrosov
@online{matrosov:20230309:untold:ccb6198, author = {Aleksandr Matrosov}, title = {{The Untold Story of the BlackLotus UEFI Bootkit}}, date = {2023-03-09}, organization = {binarly}, url = {https://www.binarly.io/posts/The_Untold_Story_of_the_BlackLotus_UEFI_Bootkit/index.html}, language = {English}, urldate = {2023-03-20} } The Untold Story of the BlackLotus UEFI Bootkit
BlackLotus
2023-03-01ESET ResearchMartin Smolár
@online{smolr:20230301:blacklotus:5ce99dc, author = {Martin Smolár}, title = {{BlackLotus UEFI bootkit: Myth confirmed}}, date = {2023-03-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/}, language = {English}, urldate = {2023-03-04} } BlackLotus UEFI bootkit: Myth confirmed
BlackLotus
Yara Rules
[TLP:WHITE] win_blacklotus_auto (20230407 | Detects win.blacklotus.)
rule win_blacklotus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.blacklotus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacklotus"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 40383c08 7406 4080ffcc 750a ffc2 49ffc3 413bd0 }
            // n = 7, score = 100
            //   40383c08             | mov                 edx, ebx
            //   7406                 | dec                 eax
            //   4080ffcc             | mov                 dword ptr [esp + 0x20], edi
            //   750a                 | mov                 cl, 1
            //   ffc2                 | inc                 ebp
            //   49ffc3               | xor                 ecx, ecx
            //   413bd0               | dec                 eax

        $sequence_1 = { 2bc7 ffc8 0fb71443 6683fa7f 7604 6683ea60 }
            // n = 6, score = 100
            //   2bc7                 | or                  edx, 0xffffffff
            //   ffc8                 | inc                 ebp
            //   0fb71443             | xor                 ecx, ecx
            //   6683fa7f             | inc                 ebp
            //   7604                 | xor                 eax, eax
            //   6683ea60             | lea                 ecx, [edx + 3]

        $sequence_2 = { e8???????? b20d 408ace 8ad8 e8???????? b20b }
            // n = 6, score = 100
            //   e8????????           |                     
            //   b20d                 | movzx               ebx, byte ptr [eax + edx]
            //   408ace               | lea                 eax, [edx + 3]
            //   8ad8                 | inc                 edx
            //   e8????????           |                     
            //   b20b                 | movzx               edi, byte ptr [eax + edx]

        $sequence_3 = { 48897820 4863413c 4533c9 488bea 458bd1 8b740850 }
            // n = 6, score = 100
            //   48897820             | jb                  0x1ce4
            //   4863413c             | inc                 esp
            //   4533c9               | mov                 eax, eax
            //   488bea               | xor                 edx, edx
            //   458bd1               | dec                 ecx
            //   8b740850             | mov                 ecx, ecx

        $sequence_4 = { 75f2 4d8bc6 488d542430 488d4d30 e8???????? 492bfe }
            // n = 6, score = 100
            //   75f2                 | mov                 dword ptr [ebp - 0x54], 0xd2f3ff10
            //   4d8bc6               | mov                 dword ptr [ebp - 0x50], 0xec130ccd
            //   488d542430           | mov                 dword ptr [ebp - 0x4c], 0x1744975f
            //   488d4d30             | mov                 dword ptr [ebp - 0x59], 0x5048706c
            //   e8????????           |                     
            //   492bfe               | mov                 dword ptr [ebp - 0x55], 0xdab9edfd

        $sequence_5 = { 4d85c0 744d 458bd1 410fb64002 410fb65003 48c1e208 }
            // n = 6, score = 100
            //   4d85c0               | dec                 eax
            //   744d                 | test                eax, eax
            //   458bd1               | js                  0xebe
            //   410fb64002           | lea                 eax, [ecx - 0x60]
            //   410fb65003           | movzx               edx, al
            //   48c1e208             | dec                 eax

        $sequence_6 = { b209 408ace 8ad8 e8???????? b20d }
            // n = 5, score = 100
            //   b209                 | jae                 0xb55
            //   408ace               | inc                 ebp
            //   8ad8                 | movzx               eax, cx
            //   e8????????           |                     
            //   b20d                 | inc                 edx

        $sequence_7 = { 4c8d4c2440 4c8bc0 488d0de6340000 e8???????? 85c0 }
            // n = 5, score = 100
            //   4c8d4c2440           | inc                 ecx
            //   4c8bc0               | sub                 eax, edx
            //   488d0de6340000       | inc                 ecx
            //   e8????????           |                     
            //   85c0                 | inc                 edx

        $sequence_8 = { 480fbfc6 488d3d41100100 b9e8030000 8935???????? }
            // n = 4, score = 100
            //   480fbfc6             | lea                 eax, [ecx + 2]
            //   488d3d41100100       | inc                 edx
            //   b9e8030000           | mov                 byte ptr [eax + edx], bl
            //   8935????????         |                     

        $sequence_9 = { 48897010 48897818 4c897020 55 488d68c8 4881ec30010000 4c8bd1 }
            // n = 7, score = 100
            //   48897010             | jb                  0x1dd1
            //   48897818             | inc                 ebp
            //   4c897020             | test                eax, eax
            //   55                   | je                  0x1cc7
            //   488d68c8             | dec                 eax
            //   4881ec30010000       | mov                 ebx, ecx
            //   4c8bd1               | dec                 eax

    condition:
        7 of them and filesize < 181248
}
Download all Yara Rules