Microsoft shares guidance on detecting BlackLotus infection

Share post:

Microsoft is now offering thorough guidelines for investigators and sysadmins to spot telltale symptoms of an ongoing infection, months after the revelation of the serious “invisible” threat presented by BlackLotus.

According to Microsoft’s instructions, researchers and administrators must look for evidence of a BlackLotus infection in certain hidden portions of a Windows system. Recently generated and locked boot files, a staging directory used during the BlackLotus installation, Registry key modifications to deactivate the Hypervisor-protected Code Integrity (HVCI) capability, and network and boot logs are among the warning indicators.

To analyze possible boot process alterations, threat hunters must first mount the EFI system partition, which is often concealed from normal Windows use. They must next examine the modification dates of the EFI files secured by the BlackLotus kernel driver, looking for discrepancies between older and most current files, as the latter are likely to be related with the bootkit infection.

A BlackLotus infection may also be found by looking for a “system32” folder under the EFI partition, which is where the malware installation begins. BlackLotus additionally updates the Windows Registry to deactivate HVCI, and the Defender antivirus software is no longer launched. Investigators can look for traces in the Windows Event Logs, such as a “ID 7023” event that occurs when the Defender real-time protection service is disabled “for an unknown reason.”

Outbound connections from winlogon.exe on port 80 can also indicate the existence of BlackLotus on the PC, since the bootkit’s injected HTTP loader attempts to connect to the command-and-control server or do “network configuration discovery.” When the bootkit is activated, comparing logs reveals two new boot drivers (“grubx64.efi” and “winload.efi”).

The sources for this piece include an article in TechSpot.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways