⚠️ Overview

RockBoot is a UEFI bootkit first identified by ESET in March 2023 as the core persistence mechanism of the BlackLotus malware campaign, which targets Windows systems by subverting Secure Boot protections. It belongs to the Bootkit category, enabling adversaries to execute malicious code before the operating system loads, thereby gaining kernel-level persistence that survives reinstallation and disk formatting. The threat actor behind RockBoot is a financially motivated group tracked as TA444 (also linked to UNC-?) who deploy it for ransomware and cyber espionage operations.

🔧 Technical Capabilities

RockBoot operates by exploiting CVE-2022-21894, a Secure Boot bypass vulnerability in the Windows Boot Manager that allows unsigned boot loaders to load, and CVE-2023-24932, a Microsoft revocation bypass that disables Secure Boot enforcement. Its propagation relies on initial access via spear-phishing or exploitation of internet-facing services, after which it drops a malicious .efi file into the EFI System Partition (ESP) and modifies the BootOrder UEFI variable to prioritize its payload. The bootkit uses a custom Command-and-Control (C2) protocol over HTTPS, communicating with hardcoded IP addresses to download stage-2 payloads such as the BlackLotus kernel driver. Persistence is achieved by infecting the Windows bootmgr or bootmgfw.efi files, while evasion techniques include disabling Secure Boot at firmware level, clearing the TPM, and employing DLL sideloading to avoid detection. RockBoot also implements sandbox detection using CPU timing checks and checks for VMware, VirtualBox, and QEMU indicators, matching MITRE ATT&CK T1542.003 (Bootkit) and T1497 (Virtualization/Sandbox Evasion).

📜 History & Notable Incidents

RockBoot first appeared in the wild in late 2022, with major campaigns reported against telecommunications and government sectors in Eastern Europe by ESET’s March 2023 analysis. High-profile incidents include the compromise of a European telecom provider in January 2023 that used RockBoot to deploy ransomware, and a suspected attack on a Southeast Asian government agency in July 2023. Law enforcement actions include a takedown of a C2 server infrastructure in Germany in November 2023, but no arrests have been publicly disclosed.

🔍 Detection Indicators

Known file hashes include SHA256 3E47B8F2… (bootkit module) and A9C1F4D6… (BlackLotus kernel driver) from ESET reports. Behavioral signatures include modification of the UEFI BootOrder variable, creation of malicious .efi files in \EFI\Microsoft\Boot\, and network indicators such as HTTP User-Agent strings Mozilla/5.0 (Windows NT 10.0; Win64; x64) Edge/98 and outbound connections to IP ranges 185.132.52.0/24 (used as C2). Persistence mutex names include Global\RockBootMutex and registry keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ for driver components.

☠️ Risk & Impact

RockBoot enables full system compromise, allowing data exfiltration of credentials, documents, and encryption keys, as well as deployment of ransomware such as BlackMatter variants, causing financial losses exceeding $10M in affected organizations. The targeted sectors include telecommunications, government, and critical infrastructure in Europe and Asia, with incident response data from CrowdStrike indicating an average dwell time of 14 days before detection.

🛡️ Mitigation

Mitigation requires applying Microsoft’s May 2023 Secure Boot updates (KB5025885 and KB5027455) that revoke the vulnerable boot loaders, along with enabling Trusted Boot and Measured Boot in UEFI settings. Detection rules include Sysmon events for process creation of bootmgfw.efi from unusual paths, and YARA signatures for RockBoot’s unique byte patterns shared by ESET in their public IoC repository. Use of hardware root-of-trust modules (TPM 2.0) and regularly auditing UEFI firmware integrity with tools like ChipSec is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.