Microsoft shares guidance on detecting BlackLotus infection

Microsoft is now offering thorough guidelines for investigators and sysadmins to spot telltale symptoms of an ongoing infection, months after the revelation of the serious “invisible” threat presented by BlackLotus.

According to Microsoft’s instructions, researchers and administrators must look for evidence of a BlackLotus infection in certain hidden portions of a Windows system. Recently generated and locked boot files, a staging directory used during the BlackLotus installation, Registry key modifications to deactivate the Hypervisor-protected Code Integrity (HVCI) capability, and network and boot logs are among the warning indicators.

To analyze possible boot process alterations, threat hunters must first mount the EFI system partition, which is often concealed from normal Windows use. They must next examine the modification dates of the EFI files secured by the BlackLotus kernel driver, looking for discrepancies between older and most current files, as the latter are likely to be related with the bootkit infection.

A BlackLotus infection may also be found by looking for a “system32” folder under the EFI partition, which is where the malware installation begins. BlackLotus additionally updates the Windows Registry to deactivate HVCI, and the Defender antivirus software is no longer launched. Investigators can look for traces in the Windows Event Logs, such as a “ID 7023” event that occurs when the Defender real-time protection service is disabled “for an unknown reason.”

Outbound connections from winlogon.exe on port 80 can also indicate the existence of BlackLotus on the PC, since the bootkit’s injected HTTP loader attempts to connect to the command-and-control server or do “network configuration discovery.” When the bootkit is activated, comparing logs reveals two new boot drivers (“grubx64.efi” and “winload.efi”).

The sources for this piece include an article in TechSpot.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web