Cybersecurity researchers have make clear what has been described as the primary Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux methods.
Dubbed Bootkitty by its creators who go by the identify BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there’s no proof that it has been put to make use of in real-world assaults. Additionally tracked as IranuKit, it was uploaded to the VirusTotal platform on November 5, 2024.
“The bootkit’s fundamental purpose is to disable the kernel’s signature verification function and to preload two as but unknown ELF binaries by way of the Linux init course of (which is the primary course of executed by the Linux kernel throughout system startup),” ESET researchers Martin Smolár and Peter Strýček stated.
The event is critical because it heralds a shift within the cyber risk panorama the place UEFI bootkits are now not confined to Home windows methods alone.
It is price noting that Bootkitty is signed by a self-signed certificates, and due to this fact can’t be executed on methods with UEFI Safe Boot enabled except an attacker-controlled certificates has been already put in.
Whatever the UEFI Safe Boot standing, the bootkit is principally engineered in addition the Linux kernel and patch, in reminiscence, the perform’s response for integrity verification earlier than GNU GRand Unified Bootloader (GRUB) is executed.
Particularly, it proceeds to hook two capabilities from the UEFI authentication protocols if Safe Boot is enabled in such a manner that UEFI integrity checks are bypassed. Subsequently, it additionally patches three totally different capabilities within the reliable GRUB boot loader to sidestep different integrity verifications.
The Slovakian cybersecurity firm stated its investigation into the bootkit additionally led to the invention of a possible associated unsigned kernel module that is able to deploying an ELF binary dubbed BCDropper that hundreds one other as-yet-unknown kernel module after a system begin.
The kernel module, additionally that includes BlackCat because the writer’s identify, implements different rootkit-related functionalities like hiding recordsdata, processes, and opening ports. There is no such thing as a proof to recommend a connection to the ALPHV/BlackCat ransomware group at this stage.
“Whether or not a proof of idea or not, Bootkitty marks an fascinating transfer ahead within the UEFI risk panorama, breaking the assumption about trendy UEFI bootkits being Home windows-exclusive threats,” the researchers stated, including “it emphasizes the need of being ready for potential future threats.”