New UEFI Bootkit 'Bootkitty' Discovered Targeting Linux Systems
/ 4 min read
Quick take - The article discusses the evolution of UEFI bootkits, highlighting the emergence of Bootkitty, a new proof of concept targeting Linux systems that aims to disable kernel signature verification and bypass UEFI Secure Boot, while emphasizing the need for preparedness against such threats.
Fast Facts
- The UEFI threat landscape has evolved with the emergence of bootkits targeting both Windows and Linux, including notable PoCs like EfiGuard and Boot Backdoor.
- The first real UEFI bootkits identified in the wild were ESPecter and FinSpy in 2021, followed by the BlackLotus bootkit in 2023, which bypassed UEFI Secure Boot.
- A new UEFI bootkit named Bootkitty, designed for Linux, was discovered as a proof of concept, targeting specific Ubuntu versions and aiming to disable kernel signature verification.
- Bootkitty operates by patching the GRUB bootloader and modifying the Linux kernel’s EFI stub loader, while a related module, BCDropper, executes another kernel module.
- Recommendations for safeguarding against UEFI threats include enabling UEFI Secure Boot, keeping systems updated, and maintaining an up-to-date UEFI revocations list.
The Evolving UEFI Threat Landscape
The UEFI threat landscape has seen significant evolution in recent years, marked by the emergence of UEFI bootkits targeting both Windows and Linux systems.
Historical Context of UEFI Bootkits
The first proof of concept (PoC) for a UEFI bootkit was presented by Andrea Allievi in 2012. This PoC demonstrated the deployment of bootkits on UEFI-based Windows systems. Subsequent notable PoCs included EfiGuard, Boot Backdoor, and UEFI-bootkit. The first real UEFI bootkits identified in the wild were ESPecter and FinSpy, both discovered in 2021. In 2023, the BlackLotus bootkit emerged, notable for being the first UEFI bootkit capable of bypassing UEFI Secure Boot on up-to-date systems. This development indicated a significant advancement in the capabilities of UEFI threats.
The Emergence of Bootkitty
Recently, a new UEFI bootkit named Bootkitty was discovered. Bootkitty is designed specifically for Linux systems and is classified as an initial proof of concept, having not yet been observed in the wild. Its design aims to disable the kernel’s signature verification feature and preloads unknown ELF binaries via the Linux init process. Bootkitty was uploaded to VirusTotal in November 2024 and specifically targets certain versions of Ubuntu. The bootkit is signed with a self-signed certificate, restricting its execution on systems with UEFI Secure Boot enabled unless the attacker’s certificates are installed.
Bootkitty is designed to seamlessly boot the Linux kernel, regardless of UEFI Secure Boot status, by patching necessary functions in memory before GRUB execution. Artifacts within Bootkitty suggest it is more of a theoretical exercise than fully operational malware, containing two unused functions capable of printing ASCII art and a list of potential authors during execution. Bootkitty prints a welcome message referencing “BlackCat,” although there is no confirmed connection to the ALPHV/BlackCat ransomware group.
Technical Details and Recommendations
Bootkitty operates by patching the GRUB bootloader, modifying the Linux kernel’s EFI stub loader, and altering the decompressed Linux kernel image. The bootkit checks if UEFI Secure Boot is enabled and hooks functions from UEFI authentication protocols to always return success. Its architecture includes loading a legitimate GRUB backup from a hardcoded path and patching its memory to bypass integrity checks. The method of operation involves modifying the kernel version and Linux banner strings, utilizing the LD_PRELOAD environment variable to load shared objects during the init process.
A related unsigned kernel module, named BCDropper, has also been discovered. BCDropper deploys an ELF binary named BCObserver, responsible for executing another kernel module. BCDropper’s design contains hints of a connection to Bootkitty through shared strings and functionalities, executing BCObserver via /bin/bash. BCObserver waits for the display manager to start before proceeding to load an unknown kernel module.
The identification of Bootkitty underscores the importance of preparedness against potential threats to Linux systems. Recommendations for safeguarding include enabling UEFI Secure Boot, keeping firmware and operating systems updated, and maintaining an up-to-date UEFI revocations list. A list of indicators of compromise (IoCs) related to Bootkitty and its components is available on GitHub. Bootkitty is categorized under various MITRE ATT&CK techniques, encompassing malware development, code signing, execution, persistence, and defense evasion.
Original Source: Read the Full Article Here
