Now Hiring: Are you a driven and motivated 1st Line IT Support Engineer?

 

Call Anytime 24/7

 
Mail Us For Support
 
Office Address

“Researchers Discover “Bootkitty” – First UEFI Bootkit Targeting Linux Kernels”

  • Home
  • Ransomware
  • “Researchers Discover “Bootkitty” – First UEFI Bootkit Targeting Linux Kernels”
Malware Attacks

Cybersecurity researchers have unveiled the first Unified Extensible Firmware Interface (UEFI) bootkit designed specifically for Linux systems. Named “Bootkitty” by its creators, BlackCat, this bootkit is a proof-of-concept (PoC) and has not yet been detected in real-world attacks.

Key Findings:
• Bootkit Goal: The primary purpose of Bootkitty is to disable the kernel’s signature verification feature and preload two unknown ELF binaries via the Linux init process.
• PoC Status: Uploaded to VirusTotal on November 5, 2024, Bootkitty has not been seen in active attacks but serves as a significant development in the cyber threat landscape.

Technical Details:
• Certificate: Bootkitty is signed with a self-signed certificate, rendering it ineffective on systems with UEFI Secure Boot enabled unless an attacker-controlled certificate is pre-installed.
• Functionality: The bootkit is designed to boot the Linux kernel and patch integrity verification functions in memory before executing the GNU GRand Unified Bootloader (GRUB).
• UEFI Authentication Bypass: If Secure Boot is enabled, Bootkitty hooks functions from UEFI authentication protocols to bypass integrity checks and patches functions in GRUB to evade further verifications.
• Malware Loading: Interferes with the Linux kernel’s decompression process and modifies the LD_PRELOAD environment variable to load unknown ELF shared objects during the init process.

Additional Discoveries:
• BCDropper: Researchers also found an unsigned kernel module named BCDropper, capable of deploying an ELF binary called BCObserver, which loads another unknown kernel module after system start.
• Rootkit Functionality: This kernel module, attributed to BlackCat, includes features like hiding files, processes, and opening ports, although no link to the ALPHV/BlackCat ransomware group has been established.

Leave A Comment

Your email address will not be published. Required fields are marked *