The evolution of the UEFI threat landscape, specifically related to UEFI bootkits, has witnessed significant developments over the past few years. It all began with the unveiling of the first UEFI bootkit proof of concept (PoC) by Andrea Allievi in 2012, demonstrating the deployment of bootkits on modern UEFI-based Windows systems. Subsequently, several other PoCs emerged, such as EfiGuard, Boot Backdoor, and UEFI-bootkit. The emergence of the first real UEFI bootkits in the wild, including ESPecter and FinSpy bootkit, further highlighted the evolving threat landscape. However, it was not until the arrival of BlackLotus in 2023, the first UEFI bootkit capable of bypassing UEFI Secure Boot on up-to-date systems, that the landscape witnessed a significant shift.
A common trend observed among these known bootkits was their exclusive focus on targeting Windows systems. This trend took a surprising turn with the recent discovery of the first UEFI bootkit designed specifically for Linux systems, named Bootkitty. While Bootkitty is currently deemed as a proof of concept and has not been detected in the wild based on telemetry data, its existence serves as a stark reminder that UEFI bootkits are no longer limited to Windows platforms alone.
The primary objective of Bootkitty is to disable the kernel’s signature verification feature and preload two undisclosed ELF binaries through the Linux init process. Furthermore, during the analysis of Bootkitty, a related unsigned kernel module named BCDropper was identified, hinting at a potential connection to the same author(s) responsible for the bootkit. BCDropper deploys an ELF binary that loads an additional unknown kernel module, adding complexities to the threat landscape.
In November 2024, a previously unknown UEFI application named bootkit.efi was uploaded to VirusTotal, confirming it as a UEFI bootkit explicitly targeting Linux systems, notably a few Ubuntu versions. Bootkitty, signed with a self-signed certificate, is incapable of running on systems with UEFI Secure Boot enabled unless the attacker’s certificates have been installed. Notably, Bootkitty is designed to seamlessly boot the Linux kernel, whether UEFI Secure Boot is enabled or not, by patching crucial functions responsible for integrity verification before GRUB is executed.
The technical analysis of Bootkitty delves deeper into its execution process, highlighting key areas such as initialization, GRUB hooking, patching of the Linux kernel’s EFI stub loader, and patching of the decompressed Linux kernel image. The impact of Bootkitty on systems, the associated indicators of compromise (IoCs), and the MITRE ATT&CK techniques employed shed light on the complexity and potential ramifications of this evolving threat.
In conclusion, Bootkitty represents a significant advancement in the UEFI threat landscape, underscoring the need for enhanced security measures to safeguard Linux systems against emerging threats. The detailed analysis provided in this report aims to raise awareness about the evolving tactics employed by threat actors and the importance of proactive defense mechanisms to mitigate risks associated with UEFI bootkits targeting Linux platforms.