Researchers have recently identified what they suspect is a groundbreaking malware targeted at infecting the boot process of Linux systems. Known as “Bootkitty,” this proof-of-concept code was developed by students in Korea as part of a cybersecurity training program. Despite being a work in progress, the bootkit is fully functional and even includes an exploit for one of the LogoFAIL vulnerabilities in the Unified Extensible Firmware Interface (UEFI) ecosystem, as uncovered by Binarly Research in November 2023.
Operating at the firmware level, bootkits are capable of executing before the operating system fully loads, thereby circumventing the Secure Boot process designed to protect systems from malicious software during startup. This type of malware can persist through system reboots, OS reinstallation, and even hardware replacements like hard drives.
A recent analysis of Bootkitty by ESET discovered that this is the first UEFI bootkit for Linux ever encountered. This is a significant development as bootkits have historically been specific to Windows, with notable examples such as BlackLotus and FinSpy. The main objective of Bootkitty is to disable kernel signature verification and preload two unknown ELF binaries through the Linux init process.
Further analysis by Binarly revealed that Bootkitty contains an exploit for CVE-2023-40238, one of the LogoFAIL vulnerabilities in UEFI discovered last year. This exploit uses shellcode embedded in bitmap image (BMP) files to bypass Secure Boot and gain the trust of the OS, leaving Linux systems from various vendors vulnerable. While Bootkitty is currently considered a proof-of-concept rather than an active threat, it represents a significant shift as attackers expand bootkit attacks beyond the Windows environment.
The UEFI ecosystem has increasingly become a target for cybercriminals due to the ability of malware operating at this level to remain virtually undetectable on compromised systems. The emergence of BlackLotus, the first malware to bypass Secure Boot protections on fully patched Windows systems, heightened concerns over UEFI security. This highlighted vulnerabilities such as CVE-2022-2189 and CVE-2023-24932, prompting calls from authorities like the US Cybersecurity and Infrastructure Security Agency (CISA) for enhanced UEFI protections.
ESET’s analysis found that Bootkitty has functionalities to modify functions that verify the integrity of the GRUB bootloader during startup on Linux devices. However, these specific functions are limited to a small number of devices, indicating that the malware is more of a proof-of-concept rather than an immediate threat. Interestingly, the code also contains unused artifacts, including functions for printing ASCII art and text during execution.
The developers of Bootkitty, a group of Korean students, shared their creation with ESET to raise awareness about the potential for bootkits affecting Linux systems. The students initially intended to disclose details about the malware in a future conference presentation, but some samples ended up on VirusTotal prematurely.
In conclusion, the discovery of Bootkitty underscores the evolving landscape of cyber threats targeting operating system bootloaders and emphasizes the need for improved security measures to counter such malicious activities. As the cybersecurity community continues to adapt to emerging threats like UEFI bootkits, collaborative efforts between researchers, developers, and authorities are essential to safeguarding systems against sophisticated attacks.