First-ever UEFI bootkit for Linux in the works, experts say

Security researchers say they've stumbled upon the first-ever UEFI bootkit targeting Linux, illustrating a key moment in the evolution of such tools.

Dubbed "Bootkitty" by Slovak security shop ESET, the first sample of the bootkit was detected on malware encyclopedia VirusTotal earlier this month.

The researchers, Martin Smolár and Peter Strýček, say it appears to only target a limited number of Ubuntu releases and there are signs it's only a proof of concept at the moment. It's not thought to be under active development or in wider use by any sophisticated offensive operators right now.

That said, the finding suggests work is being done to target a broader set of potential targets and dispels the previous thinking that UEFI bootkits are designed for Windows systems only.

The last major evolution in the bootkit realm was arguably BlackLotus and the finding that it can bypass Secure Boot.

ESET was again the source of this discovery in 2023, with Smolár confirming after a year of digging into the $5,000 bootkit that it made good on its adverts and does indeed bypass Windows 11 Secure Boot.

Bootkitty, however, is not that advanced just yet. It isn't able to run on Linux systems with Secure Boot enabled. The bootkit is a self-signed certificate so in order to run on Secure Boot-protected systems, the system would already have to have the attackers' certificates installed.

ESET's analysis found that Bootkitty hooks various functions to ensure the firmware doesn't verify or check its authentication status, and patches the decompressed kernel image.

Smolár and Strýček said the manner in which it patches the decompressed kernel image was a significant limitation of the bootkit in its current form. 

How so? The developers used unsophisticated hardcoded byte patterns to locate the functions it aims to modify, meaning its functionality is limited to only a few Ubuntu releases. These patterns could feasibly be tweaked to cover additional kernel or grand unified bootloader (GRUB) versions, though.

The researchers reckoned the same limiting byte patterns also meant that the bootkit often led to system crashes instead of a full compromise, which is presumably the intention.

Bootkitty's main functionality, right now, is to load potentially malicious ELF binaries and potentially a dropper that might have been developed by the same people or person behind Bootkitty itself, but the researchers aren't sure.

A separate analysis carried out by a malware developer and reverse engineer who uses the humzak711 alias indicated that the binaries were used to load new stages of the bootkit. 

It also concluded that Bootkitty is highly modular and in its current stage of development, many components were merely placeholders, suggesting it is very much in its infancy and that more capabilities are coming with time.

The researchers dubbed the tool Bootkitty based on printed strings discovered during its execution. For one, ASCII art is displayed showing the word "Bootkitty," and the phrase "Bootkitty's bootkit" appears in subsequent printed strings too.

Also printed are the names of the supposed creators and others who assisted them in the development, although Smolár and Strýček couldn't track down any significant histories for any of them.

Additionally, Bootkitty references "BlackCat" a number of times, both during the initial printed strings upon execution ("Developed by BlackCat") and at various points in a loadable kernel module – the aforementioned dropper – loosely suggesting that the kernel module and Bootkitty itself were developed by the same people.

What it doesn't suggest, the researchers believe, is that there is a link between the developers of Bootkitty and the former ransomware crew ALPHV/BlackCat.

• Pop!_OS 24.04 and new COSMIC desktop reach alpha
• Your victim's Windows PC fully patched? Just force undo its updates and exploit away
• To kill BlackLotus malware, patching is a good start, but...
• It's official: BlackLotus malware can bypass Secure Boot on Windows machines

Not only is the bootkit not ransomware, but it's also written in C, while the devs behind the ransomware that scythed Change Healthcare and many others before it, was written in Rust.

"Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," said the researchers. 

"Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats." ®