ESET researchers have discovered what they said is the first-known Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems.
Dubbed ‘Bootkitty,’ the bootkit developed by a group operating under the moniker BlackCat, was uploaded to VirusTotal on November 5, 2024. ESET researchers, who analyzed the sample, confirmed that the bootkit primarily targets certain versions of Ubuntu. Based on the telemetry, the bootkit has not yet been observed in real-world attacks.
The bootkit’s purpose is to disable the Kernel’s Signature Verification Feature, a mechanism that ensures the integrity and authenticity of the Linux kernel, critical for maintaining a secure boot process.
Bootkitty operates by exploiting vulnerabilities in the Linux boot process. Despite being signed with a self-signed certificate, it cannot run on systems with UEFI Secure Boot enabled unless attackers manually install their certificates. However, it can seamlessly boot the Linux kernel by patching integrity verification functions in memory before the GRUB bootloader executes.
During the analysis, ESET researchers identified an unsigned kernel module, dubbed BCDropper, which appears linked to Bootkitty. This module deploys an ELF binary called BCObserver, which is responsible for loading an additional, yet unidentified, kernel module. While evidence suggests a possible connection between Bootkitty and BCDropper, definitive links remain inconclusive.
Interestingly, the kernel version associated with Bootkitty (6.8.0-48-generic) is unsupported by the bootkit, indicating its developmental stage or limited scope.
“Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats. Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats,” ESET noted.
The 'Bootkitty' Linux UEFI bootkit leverages the LogoFAIL vulnerability (CVE-2023-40238) to compromise systems with unpatched firmware. LogoFAIL, discovered by firmware security firm Binarly in November 2023, is a collection of flaws in the image-parsing code of UEFI firmware. These flaws allow attackers to exploit malicious images or logos on the EFI System Partition (ESP).
Bootkitty embeds shellcode within BMP files (e.g., 'logofail.bmp' and 'logofail_fake.bmp') to bypass Secure Boot protections. It achieves this by injecting rogue certifications into the MokList variant. Binarly warns that while Bootkitty could potentially impact any device unprotected against LogoFAIL, its current design specifically targets firmware modules in Acer, HP, Fujitsu, and Lenovo devices.
Update. ESET updated its original article on December 2, 2024 to clarify that the Bootkitty bootkit appears to be part of a project developed by cybersecurity students participating in Korea's Best of the Best (BoB) training program and that a few samples were disclosed ahead of the planned conference presentation.