Cybersecurity researchers have uncovered the first-ever UEFI bootkit designed to focus on Linux techniques.
This discovery, named ‘Bootkitty’, marks a brand new chapter in UEFI threats, which have predominantly focused Home windows techniques till now.
The UEFI (Unified Extensible Firmware Interface) risk panorama has seen appreciable evolution over the previous decade.
Evolution of UEFI Threats
Initially, in 2012, the primary proof-of-concept UEFI bootkit was offered by Andrea Allievi. Since then, a number of proof-of-concept bootkits resembling EfiGuard, Boot Backdoor, and UEFI-bootkit have emerged.
Nonetheless, it wasn’t till 2021 that the primary real-world UEFI bootkits, ESPecter and FinSpy, have been found. In 2023, the BlackLotus bootkit additional raised the stakes by bypassing UEFI Safe Boot on up-to-date techniques.
Bootkitty represents a brand new class of UEFI threats by particularly focusing on Linux techniques, beginning with sure variations of Ubuntu.
Not like its predecessors, which completely focused Home windows, Bootkitty disables the Linux kernel’s signature verification function.
The bootkit employs a self-signed certificates, making it incapable of working on techniques with UEFI Safe Boot enabled until attacker certificates are put in.
Technical Insights
Bootkitty’s main goal is to patch the Linux kernel in reminiscence, circumventing integrity verifications earlier than the GRUB bootloader is executed.
This methodology limits its performance to particular configurations as a result of its use of hardcoded byte patterns for patching.
ESET Detailed evaluation reveals that Bootkitty makes an attempt to preload ELF binaries through the Linux init course of.
Moreover, a probably associated unsigned kernel module, BCDropper, was found.
This module is suspected to have been developed by the identical authors and is liable for loading one other unknown kernel module.
Whereas Bootkitty presently seems to be extra of a proof-of-concept fairly than a completely operational risk, its existence underscores the potential growth of UEFI bootkits to Linux techniques.
Bootkitty modifies kernel model and Linux banner strings, which may be detected utilizing the uname -v and dmesg instructions.
System directors are suggested to make sure that UEFI Safe Boot is enabled and that system firmware and working techniques are up-to-date.
A easy corrective motion entails restoring the respectable GRUB bootloader file to its authentic location to mitigate Bootkitty’s results.
The emergence of Bootkitty indicators a big shift in UEFI bootkit threats, highlighting the necessity for vigilance in securing Linux techniques towards potential future threats.
This improvement serves as a vital reminder of the evolving nature of cybersecurity threats and the significance of sturdy safety measures.
IoCs
A complete listing of indicators of compromise (IoCs) and samples may be present in our GitHub repository.
Information
| SHA-1 | Filename | Detection | Description |
| 35ADF3AED60440DA7B80F3C452047079E54364C1 | bootkit.efi | EFI/Agent.A | Bootkitty UEFI bootkit. |
| BDDF2A7B3152942D3A829E63C03C7427F038B86D | dropper.ko | Linux/Rootkit.Agent.FM | BCDropper. |
| E8AF4ED17F293665136E17612D856FA62F96702D | observer | Linux/Rootkit.Agent.FM | BCObserver. |