Cybersecurity researchers have unveiled the first Unified Extensible Firmware Interface (UEFI) bootkit designed specifically for Linux systems. Named “Bootkitty” by its creators, BlackCat, this bootkit is a proof-of-concept (PoC) and has not yet been detected in real-world attacks.
Key Findings:
• Bootkit Goal: The primary purpose of Bootkitty is to disable the kernel’s signature verification feature and preload two unknown ELF binaries via the Linux init process.
• PoC Status: Uploaded to VirusTotal on November 5, 2024, Bootkitty has not been seen in active attacks but serves as a significant development in the cyber threat landscape.
Technical Details:
• Certificate: Bootkitty is signed with a self-signed certificate, rendering it ineffective on systems with UEFI Secure Boot enabled unless an attacker-controlled certificate is pre-installed.
• Functionality: The bootkit is designed to boot the Linux kernel and patch integrity verification functions in memory before executing the GNU GRand Unified Bootloader (GRUB).
• UEFI Authentication Bypass: If Secure Boot is enabled, Bootkitty hooks functions from UEFI authentication protocols to bypass integrity checks and patches functions in GRUB to evade further verifications.
• Malware Loading: Interferes with the Linux kernel’s decompression process and modifies the LD_PRELOAD environment variable to load unknown ELF shared objects during the init process.
Additional Discoveries:
• BCDropper: Researchers also found an unsigned kernel module named BCDropper, capable of deploying an ELF binary called BCObserver, which loads another unknown kernel module after system start.
• Rootkit Functionality: This kernel module, attributed to BlackCat, includes features like hiding files, processes, and opening ports, although no link to the ALPHV/BlackCat ransomware group has been established.