Cyber Security News

“Bootkitty” – A First Ever UEFI Bootkit Attack Linux Systems

Cybersecurity researchers have uncovered the first-ever UEFI bootkit designed to target Linux systems.

This discovery, named ‘Bootkitty’, marks a new chapter in UEFI threats, which have predominantly targeted Windows systems until now.

The UEFI (Unified Extensible Firmware Interface) threat landscape has seen considerable evolution over the past decade.

Evolution of UEFI Threats

Initially, in 2012, the first proof-of-concept UEFI bootkit was presented by Andrea Allievi. Since then, several proof-of-concept bootkits such as EfiGuard, Boot Backdoor, and UEFI-bootkit have emerged.

However, it wasn’t until 2021 that the first real-world UEFI bootkits, ESPecter and FinSpy, were discovered. In 2023, the BlackLotus bootkit further raised the stakes by bypassing UEFI Secure Boot on up-to-date systems.

Bootkitty represents a new class of UEFI threats by specifically targeting Linux systems, starting with certain versions of Ubuntu.

Bootkitty execution overview

Unlike its predecessors, which exclusively targeted Windows, Bootkitty disables the Linux kernel’s signature verification feature.

The bootkit employs a self-signed certificate, making it incapable of running on systems with UEFI Secure Boot enabled unless attacker certificates are installed.

Technical Insights

Bootkitty’s primary objective is to patch the Linux kernel in memory, circumventing integrity verifications before the GRUB bootloader is executed.

This method limits its functionality to specific configurations due to its use of hardcoded byte patterns for patching.

ESET Detailed analysis reveals that Bootkitty attempts to preload ELF binaries via the Linux init process.

Additionally, a possibly related unsigned kernel module, BCDropper, was discovered.

This module is suspected to have been developed by the same authors and is responsible for loading another unknown kernel module.

While Bootkitty currently appears to be more of a proof-of-concept rather than a fully operational threat, its existence underscores the potential expansion of UEFI bootkits to Linux systems.

Bootkitty modifies kernel version and Linux banner strings, which can be detected using the uname -v and dmesg commands.

System administrators are advised to ensure that UEFI Secure Boot is enabled and that system firmware and operating systems are up-to-date.

A simple corrective action involves restoring the legitimate GRUB bootloader file to its original location to mitigate Bootkitty’s effects.

The emergence of Bootkitty signals a significant shift in UEFI bootkit threats, highlighting the need for vigilance in securing Linux systems against potential future threats.

This development serves as a critical reminder of the evolving nature of cybersecurity threats and the importance of robust security measures.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

SHA-1FilenameDetectionDescription
35ADF3AED60440DA7B80F3C452047079E54364C1bootkit.efiEFI/Agent.ABootkitty UEFI bootkit.
BDDF2A7B3152942D3A829E63C03C7427F038B86Ddropper.koLinux/Rootkit.Agent.FMBCDropper.
E8AF4ED17F293665136E17612D856FA62F96702DobserverLinux/Rootkit.Agent.FMBCObserver.
Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

2 days ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

2 days ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

2 days ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

2 days ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

3 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

3 days ago