Unmasking Malicious Bootloaders with Bootloaders.io

Published in

magicswordio

5 min readAug 3, 2023

In the intricate battleground of cybersecurity, the defense against malicious bootloaders, or bootkits, has always been a relentless game of cat and mouse. As defenders work tirelessly to understand, identify, and revoke these concealed threats, adversaries continue to exploit and advance their craft. Enter Bootloaders.io, a monumental stride exposing bootkits!

For organizations striving to safeguard their systems, this initiative is here to shine a light on a topic that is shrouded in mystique. To start, we leveraged the full gambit of Revoked Bootloaders from the UEFI revocation list, Bootloaders.io offers an open-source project with an extensive and well-organized collection of known malicious Bootloaders across various operating systems. But this triumph doesn’t merely stand as a beacon for defenders; it serves as a critical reminder that the process of revoking, identifying, and responding to bootkits is fraught with challenges and demands time.

This isn’t just an update on security measures; it’s a battle cry for all who champion the cause of a secure environment. Whether you’re a defender or IT professional, join us as we delve into the heart of Bootloaders.io, where we’ll shine a light on the darkness and identify malicious bootloaders together. We’ll explore the complexities of the cyber landscape, understand how adversaries exploit these avenues, and uncover how Bootloaders.io arms you with the tools and knowledge to fight back.

Welcome to a new era of proactive defense and knowledge empowerment. Welcome to Bootloaders.io.

Why Bootloaders?

Similar to drivers, bootloaders — including malicious bootloaders or bootkits — represent a shadowy area that many defenders may be unaware of. In an era where we rely on Anti-Virus (AV) or Endpoint Detection and Response (EDR) products to uncover these low-level threats, the detection is not always foolproof. Consider the recent exposure of Black Lotus, a bootkit that hit mainstream attention in March 2023 but had actually been lurking since October 2022.

It wasn’t until May 2023 that UEFI revoked the compromised bootloaders, leaving computers vulnerable to this threat for eight months. Although Microsoft issued a patch and there were various methods to force an update to the DBX, implementing these solutions across 50,000 or even 200,000 endpoints is a daunting task.

Enter Bootloaders.io, a project focused on revoked bootloaders. When we first embarked on this mission, our initial step was to cross-reference VirusTotal with all the hashes listed in the CSV. Surprisingly, when the BlackLotus hashes were added, we found only 137 bootkits listed on VirusTotal.

137 out of 520 revoked bootloaders are available on VT.

As a defender within an organization of any size, it’s crucial to understand how to search for and recognize bootkit behavior. While tasks such as x and y must be performed, and likely require Administrator privileges, it’s essential to not overlook this area. Adversaries continue to exploit these vulnerabilities, and there is a pressing need for us to enhance our understanding of how to detect and prevent these threats effectively.

What about the known knowns of Bootkits?

We wanted to begin with the largest collection of bootkits available, and now that the project is public, we will start backfilling the known instances out there.

Similar to the LOLDrivers.io project, the site follows the same schema and style.

If a bootloader is available, you can download it.

Or, we provided a oneliner to replace your current bootloader with the… ahem — evil one.

We work to provide as much detection out of the box as possible. Bootloaders are a smidge different then drivers.

A hash list may never work based on how a bootloader is loaded, but hey — we’ll try!

In addition, based on the UEFI revocation list, we added the CVE’s:

Which you can click on and view the full details.

Again, bootloaders are different from drivers regarding metadata, we attempted to extract as much as possible and presented it on the page:

Below the table will include any and all imports/exports, signatures and certificates:

The Boots

As I have worked on understanding how to detect bootloader abuse, I produced a simple tool to goof off with the registry keys.

https://github.com/MHaggis/notes/blob/master/utilities/theBoots.ps1

In addition, the one liner on the pages will plant the bootloader properly for testing purposes.

bcdedit /copy "{current}" /d "LOLDrivers" | {% if ($_ -match '{\S+}') { bcdedit /set $matches[0] path \windows\temp\bootmgfw.efi } }

Be careful out there! More to come on testing.

StreamLit App

Similar to LOLDrivers, we created a simple Streamlit App to help with easy contributions.

Check it out here: https://theboots.streamlit.app/

The workflow may be:

Create a yaml on the app
fork the project, add your yaml to the yaml directory as a new file (using UUID as the filename (UUID.yaml))
Submit PR.
You are now a contributor to Bootloaders!

In addition, feel free to drop a Git Issue with the yaml and we’ll merge it in with your name :)

Booting Up a New Era of Defense with Bootloaders.io

The Bootloaders.io project heralds a significant step forward in recognizing, understanding, and fighting against these concealed threats.

By assembling the largest known collection of revoked bootloaders and offering it publicly, Bootloaders.io not only illuminates this shadowy area but also provides tangible tools for defense. The project enables organizations of all sizes to enhance their detection and prevention strategies, regardless of the unique challenges bootloaders present.

With the ability to download and analyze bootloaders, review associated CVE details, and explore extensive metadata, Bootloaders.io stands as a robust resource for defenders. It’s not merely a repository but a collaborative platform where knowledge and action unite against a common enemy.