Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems.
Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit, it was uploaded to the VirusTotal platform on November 5, 2024.
"The bootkit's main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)," ESET researchers Martin Smolár and Peter Strýček said.
The development is significant as it heralds a shift in the cyber threat landscape where UEFI bootkits are no longer confined to Windows systems alone.
It's worth noting that Bootkitty is signed by a self-signed certificate, and therefore cannot be executed on systems with UEFI Secure Boot enabled unless an attacker-controlled certificate has been already installed.
Regardless of the UEFI Secure Boot status, the bootkit is mainly engineered to boot the Linux kernel and patch, in memory, the function's response for integrity verification before GNU GRand Unified Bootloader (GRUB) is executed.
Specifically, it proceeds to hook two functions from the UEFI authentication protocols if Secure Boot is enabled in such a way that UEFI integrity checks are bypassed. Subsequently, it also patches three different functions in the legitimate GRUB boot loader to sidestep other integrity verifications.
It's also designed to interfere with the normal functioning of the Linux kernel's decompression process to allow the malware to load malicious modules. Last but not least, it modifies the LD_PRELOAD environment variable so that two unknown ELF shared objects ("/opt/injector.so" and "/init") are loaded when the init process starts.
The Slovakian cybersecurity company said its investigation into the bootkit also led to the discovery of a likely related unsigned kernel module codenamed BCDropper that's capable of deploying an ELF binary dubbed BCObserver that loads another as-yet-unknown kernel module after a system start.
The kernel module, also featuring BlackCat as the author's name, implements other rootkit-related functionalities like hiding files, processes, and opening ports. There is no evidence to suggest a connection to the ALPHV/BlackCat ransomware group at this stage.
"Whether a proof-of-concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," the researchers said, adding "it emphasizes the necessity of being prepared for potential future threats."
Bootkitty Exploits LogoFAIL
Firmware security company Binarly, in a follow-up analysis published on November 29, 2024, revealed that the prototype UEFI bootkit capable of infecting the Linux kernel is exploiting a vulnerability tied to LogoFAIL (CVE-2023-40238, CVSS score: 5.5) to enable the "execution of malicious shellcode through tampered BMP files in UEFI firmware."
"The exploit uses embedded shellcode within a BMP image to bypass Secure Boot protections by injecting rogue certificates into the MokList variable," it said.
"Vulnerable devices include models from Acer, HP, Fujitsu, and Lenovo, with evidence suggesting the exploit may have been tailored for specific hardware configurations. While a patch from Insyde mitigates the vulnerability, unpatched devices remain at risk."
Bootkitty Part of Research Project
ESET has revealed that the bootkit is a part of a project created by cybersecurity students participating in Korea's Best of the Best (BoB) training program, confirming it's an initial PoC rather than malware used by malicious actors.
(The story was updated after publication to include additional information about Bootkitty.)
