April 14, 2023

Microsoft is now offering thorough guidelines for investigators and sysadmins to spot telltale symptoms of an ongoing infection, months after the revelation of the serious “invisible” threat presented by BlackLotus.

According to Microsoft’s instructions, researchers and administrators must look for evidence of a BlackLotus infection in certain hidden portions of a Windows system. Recently generated and locked boot files, a staging directory used during the BlackLotus installation, Registry key modifications to deactivate the Hypervisor-protected Code Integrity (HVCI) capability, and network and boot logs are among the warning indicators.

To analyze possible boot process alterations, threat hunters must first mount the EFI system partition, which is often concealed from normal Windows use. They must next examine the modification dates of the EFI files secured by the BlackLotus kernel driver, looking for discrepancies between older and most current files, as the latter are likely to be related with the bootkit infection.

A BlackLotus infection may also be found by looking for a “system32” folder under the EFI partition, which is where the malware installation begins. BlackLotus additionally updates the Windows Registry to deactivate HVCI, and the Defender antivirus software is no longer launched. Investigators can look for traces in the Windows Event Logs, such as a “ID 7023” event that occurs when the Defender real-time protection service is disabled “for an unknown reason.”

Outbound connections from winlogon.exe on port 80 can also indicate the existence of BlackLotus on the PC, since the bootkit’s injected HTTP loader attempts to connect to the command-and-control server or do “network configuration discovery.” When the bootkit is activated, comparing logs reveals two new boot drivers (“grubx64.efi” and “winload.efi”).

The sources for this piece include an article in TechSpot.