Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels

Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems.

Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit, it was uploaded to the VirusTotal platform on November 5, 2024.

"The bootkit's main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)," ESET researchers Martin Smolár and Peter Strýček said.

The development is significant as it heralds a shift in the cyber threat landscape where UEFI bootkits are no longer confined to Windows systems alone.

It's worth noting that Bootkitty is signed by a self-signed certificate, and therefore cannot be executed on systems with UEFI Secure Boot enabled unless an attacker-controlled certificate has been already installed.

Regardless of the UEFI Secure Boot status, the bootkit is mainly engineered to boot the Linux kernel and patch, in memory, the function's response for integrity verification before GNU GRand Unified Bootloader (GRUB) is executed.

Specifically, it proceeds to hook two functions from the UEFI authentication protocols if Secure Boot is enabled in such a way that UEFI integrity checks are bypassed. Subsequently, it also patches three different functions in the legitimate GRUB boot loader to sidestep other integrity verifications.

The Slovakian cybersecurity company said its investigation into the bootkit also led to the discovery of a likely related unsigned kernel module that's capable of deploying an ELF binary dubbed BCDropper that loads another as-yet-unknown kernel module after a system start.

The kernel module, also featuring BlackCat as the author's name, implements other rootkit-related functionalities like hiding files, processes, and opening ports. There is no evidence to suggest a connection to the ALPHV/BlackCat ransomware group at this stage.

"Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," the researchers said, adding "it emphasizes the necessity of being prepared for potential future threats."