Cybersecurity researchers have uncovered the first-ever UEFI bootkit designed to target Linux systems.
This discovery, named ‘Bootkitty’, marks a new chapter in UEFI threats, which have predominantly targeted Windows systems until now.
The UEFI (Unified Extensible Firmware Interface) threat landscape has seen considerable evolution over the past decade.
Evolution of UEFI Threats
Initially, in 2012, the first proof-of-concept UEFI bootkit was presented by Andrea Allievi. Since then, several proof-of-concept bootkits such as EfiGuard, Boot Backdoor, and UEFI-bootkit have emerged.
However, it wasn’t until 2021 that the first real-world UEFI bootkits, ESPecter and FinSpy, were discovered. In 2023, the BlackLotus bootkit further raised the stakes by bypassing UEFI Secure Boot on up-to-date systems.
Bootkitty represents a new class of UEFI threats by specifically targeting Linux systems, starting with certain versions of Ubuntu.
Unlike its predecessors, which exclusively targeted Windows, Bootkitty disables the Linux kernel’s signature verification feature.
The bootkit employs a self-signed certificate, making it incapable of running on systems with UEFI Secure Boot enabled unless attacker certificates are installed.
Technical Insights
Bootkitty’s primary objective is to patch the Linux kernel in memory, circumventing integrity verifications before the GRUB bootloader is executed.
This method limits its functionality to specific configurations due to its use of hardcoded byte patterns for patching.
ESET Detailed analysis reveals that Bootkitty attempts to preload ELF binaries via the Linux init process.
Additionally, a possibly related unsigned kernel module, BCDropper, was discovered.
This module is suspected to have been developed by the same authors and is responsible for loading another unknown kernel module.
While Bootkitty currently appears to be more of a proof-of-concept rather than a fully operational threat, its existence underscores the potential expansion of UEFI bootkits to Linux systems.
Bootkitty modifies kernel version and Linux banner strings, which can be detected using the uname -v and dmesg commands.
System administrators are advised to ensure that UEFI Secure Boot is enabled and that system firmware and operating systems are up-to-date.
A simple corrective action involves restoring the legitimate GRUB bootloader file to its original location to mitigate Bootkitty’s effects.
The emergence of Bootkitty signals a significant shift in UEFI bootkit threats, highlighting the need for vigilance in securing Linux systems against potential future threats.
This development serves as a critical reminder of the evolving nature of cybersecurity threats and the importance of robust security measures.
IoCs
A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
| 35ADF3AED60440DA7B80F3C452047079E54364C1 | bootkit.efi | EFI/Agent.A | Bootkitty UEFI bootkit. |
| BDDF2A7B3152942D3A829E63C03C7427F038B86D | dropper.ko | Linux/Rootkit.Agent.FM | BCDropper. |
| E8AF4ED17F293665136E17612D856FA62F96702D | observer | Linux/Rootkit.Agent.FM | BCObserver. |
