The primary UEFI bootkit particularly concentrating on Linux techniques has been found, marking a shift in stealthy and hard-to-remove bootkit threats that beforehand targeted on Home windows.
Named ‘Bootkitty,’ the Linux malware is a proof-of-concept that works solely on some Ubuntu variations and configurations reasonably than a completely fledged risk deployed in precise assaults.
Bootkits are malware designed to infect a pc’s boot course of, loading earlier than the working system and permitting it to realize management over a system at a really low degree.
The benefit of this apply is that bootkits can evade safety instruments operating on the working system degree and modify system elements or inject malicious code with out risking detection.
ESET researchers who found Bootkitty warn that its existence is a major evolution within the UEFI bootkit threats area regardless of the present real-world implications.
A Linux bootkit within the making
ESET found Bootkitty after inspecting a suspicious file (bootkit.efi) uploaded to VirusTotal in November 2024.
Upon evaluation, ESET confirmed that this was the primary case of a Linux UEFI bootkit to bypass kernel signature verification and preload malicious elements through the system boot course of.
Bootkitty depends on a self-signed certificates, so it will not execute on techniques with Safe Boot enabled and solely targets sure Ubuntu distributions.
Moreover, hardcoded offsets and simplistic byte-pattern matching make it solely usable on particular GRUB and kernel variations, so it is unsuitable for widespread deployment.
ESET additionally notes that the malware incorporates many unused features and handles kernel-version compatibility poorly, usually resulting in system crashes.
Supply: ESET
The malware’s buggy nature and the truth that ESET’s telemetry exhibits no indicators of Bootkitty on dwell techniques led the researchers to conclude that it’s in early-stage growth.
Bootkitty’s capabilities
Throughout boot, Bootkitty hooks UEFI safety authentication protocols (EFI_SECURITY2_ARCH_PROTOCOL and EFI_SECURITY_ARCH_PROTOCOL) to bypass Safe Boot’s integrity verification checks, making certain the bootkit masses no matter safety insurance policies.
Subsequent, it hooks varied GRUB features like ‘start_image’ and ‘grub_verifiers_open’ to control the bootloader’s integrity checks for binaries, together with the Linux kernel, turning off signature verification.
Bootkitty then intercepts the Linux kernel’s decompression course of and hooks the ‘module_sig_check’ operate. This forces it to all the time return success throughout kernel module checks, permitting the malware to load malicious modules.
Additionally, it replaces the primary atmosphere variable with ‘LD_PRELOAD=/choose/injector.so’ in order that the malicious library is injected into processes upon system launch.
Supply: ESET
This complete course of leaves behind a number of artifacts, some supposed and others not, explains ESET, which is one other indication of Bootkitty’s lack of refinement.
The researchers additionally famous that the identical person who uploaded Bootkitty onto VT additionally uploaded an unsigned kernel module named ‘BCDropper,’ however obtainable proof weakly hyperlinks the 2.
BCDropper drops an ELF file named ‘BCObserver,’ a kernel module with rootkit performance that hides information, processes, and opens ports on the contaminated system.
The invention of such a malware illustrates how attackers are growing Linux malware that was beforehand remoted to Home windows because the enterprise more and more adopts Linux.
Indicators of compromise (IoCs) related to Bootkitty have been shared on this GitHub repository.