Pulse Detail — Threat Intelligence

PULSE NAME

BlackLotus UEFI bootkit: Myth confirmed | WeLiveSecurity

WHITE Cyber74Team 2023-03-01 Modified: 2023-03-31

IOCs

HIGH VOLUME

The first in-the-wild UEFI bootkit, capable of bypassing the essential security feature of Windows Secure Boot, has been discovered by ESET security researchers in the early 20th Century.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1056 T1495 T1553 T1140 T1547 T1102 T1176 T1189 T1014 T1016 T1027 T1036 T1055 T1070 T1071 T1082 T1106 T1112 T1129 T1132 T1134 T1203 T1497 T1542 T1548 T1559 T1562 T1573 T1574 T1587 T1588 T1614

MALWARE FAMILIES

BlackLotus HTTP BlackLotus HTTP

Indicators of Compromise (56)

All URL CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://frassirishiproc.com/API/hpb_gate.php	—	2023-03-01
URL	https://heikickgn.com/API/hpb_gate.php	—	2023-03-01
CVE	CVE-2022-21894	—	2023-03-01
FileHash-MD5	570b5d22b723b4a442cc6eeebc2580e8	—	2023-03-01
FileHash-MD5	d948d4b6db5d6d6e2e1ba6c0fa4bf008	MD5 of 05846d5b1d37ee2d716140de4f4f984cf1e631d1	2023-03-01
FileHash-MD5	e2265f82bc1703abbcec25d7c85e5ce7	MD5 of a5a530a91100ed5f07a5d74698b15c646dd44e16	2023-03-01
FileHash-MD5	ed00050d8507c313c6288e2866c5bbb3	MD5 of d82539bfc2cc7cb504be74ac74df696b13db486a	2023-03-01
FileHash-SHA1	05846d5b1d37ee2d716140de4f4f984cf1e631d1	—	2023-03-01
FileHash-SHA1	06af3016accdb3dfe1c23657bf1bf91c13baa757	—	2023-03-01
FileHash-SHA1	0c0e78bf97116e781dde0e00a1cd0c29e68d623d	—	2023-03-01
FileHash-SHA1	0e6dd7110c38464ecaa55ee4e2fa303ada0edefb	—	2023-03-01
FileHash-SHA1	111c4998f3264617a7a9d9bf662d4b1577445b20	—	2023-03-01
FileHash-SHA1	164bb587109cfb20824303ad1609a65abb36c3e9	—	2023-03-01
FileHash-SHA1	16b12cea54360aa42e1120e82c1e9bc0371cb635	—	2023-03-01
FileHash-SHA1	17fa047c1f979b180644906fe9265f21af5b0509	—	2023-03-01
FileHash-SHA1	1f3799fed3cf43254fe30dcdfdb8dc02d82e662b	—	2023-03-01
FileHash-SHA1	2ce056ae323b0380b0e87225ea0ae087a33cd316	—	2023-03-01
FileHash-SHA1	45701a83dec1dc71a48268c9d6d205f31d9e7ffb	—	2023-03-01
FileHash-SHA1	4b882748faf2c6c360884c6812dd5bcbce75ebff	—	2023-03-01
FileHash-SHA1	547faa2d64b85bf883955b723b07635c0a09326b	—	2023-03-01
FileHash-SHA1	5a0074203abd5deb464ba0a79e14b7541a033216	—	2023-03-01
FileHash-SHA1	5dc9cbd75abd830e83641a0265bffddd2f602815	—	2023-03-01
FileHash-SHA1	6d8cee28da8bcf25a4d232feb0810452acada11d	—	2023-03-01
FileHash-SHA1	71559c3e2f3950d4ee016f24ca54da17d28b9d82	—	2023-03-01
FileHash-SHA1	74ff58fce8f19083d16df0109dc91d78c94342fa	—	2023-03-01
FileHash-SHA1	91f832f46e4c38ecc9335460d46f6f71352cffed	—	2023-03-01
FileHash-SHA1	97aec21042df47d39ac212761729c6be484d064d	—	2023-03-01
FileHash-SHA1	994dc79255aeb662a672a1814280de73d405617a	—	2023-03-01
FileHash-SHA1	a5a530a91100ed5f07a5d74698b15c646dd44e16	—	2023-03-01
FileHash-SHA1	acc74217cbe3f2e727a826b34bde482dcae15be6	—	2023-03-01
FileHash-SHA1	adceec18ff009bed635d168e0b116e72096f18d2	—	2023-03-01
FileHash-SHA1	c8e6bf8b6fda161bbfa5470bcc262b1bdc92a359	—	2023-03-01
FileHash-SHA1	d1bbaa3d408e944c70b3815471eed7fa9aee6425	—	2023-03-01
FileHash-SHA1	d6bb89d8734b3e49725362dae9a868ae681e8bd6	—	2023-03-01
FileHash-SHA1	d6d3f3151b188a9da62deb95ea1d1abeff257914	—	2023-03-01
FileHash-SHA1	d82539bfc2cc7cb504be74ac74df696b13db486a	—	2023-03-01
FileHash-SHA1	dae7e7c4eec2ac0dc7963c44a5a4f47d930c5508	—	2023-03-01
FileHash-SHA1	dbc064f757c69ec43517eff496146b43cba949d1	—	2023-03-01
FileHash-SHA1	fff4f28287677caabc60c8ab36786c370226588d	—	2023-03-01
FileHash-SHA256	1f43703d2171ab90e98357b6dfdf824417baa191a59419c27fce42cbafdb7ecf	SHA256 of 05846d5b1d37ee2d716140de4f4f984cf1e631d1	2023-03-01
FileHash-SHA256	68bb0a6f1353a91ba7d50bc8743e61a520b60f0b814e2459d53f994521e2ded6	SHA256 of a5a530a91100ed5f07a5d74698b15c646dd44e16	2023-03-01
FileHash-SHA256	d68f668b4240f9518e4f80499d93d8c5a1eddece0771658c33ae916cc54f5a66	SHA256 of d82539bfc2cc7cb504be74ac74df696b13db486a	2023-03-01
URL	http://myrepository.name/network/API/hpb_gate.php	—	2023-03-01
URL	https://egscorp.net/API/hpb_gate.php	—	2023-03-01
URL	https://erdjknfweklsgwfmewfgref.com/API/hpb_gate.php	—	2023-03-01
URL	https://harrysucksdick.com/API/hpb_gate.php	—	2023-03-01
URL	https://myrepositoryx.com/network/API/hpb_gate.php	—	2023-03-01
URL	https://xrepositoryx.name/network/API/hpb_gate.php	80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880	2023-03-01
domain	egscorp.net	—	2023-03-01
domain	erdjknfweklsgwfmewfgref.com	—	2023-03-01
domain	frassirishiproc.com	—	2023-03-01
domain	harrysucksdick.com	—	2023-03-01
domain	heikickgn.com	—	2023-03-01
domain	myrepository.name	—	2023-03-01
domain	myrepositoryx.com	—	2023-03-01
domain	xrepositoryx.name	—	2023-03-01

References (1)

↗ https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/