Malware hunters at ESET on Wednesday documented the discovery of a prototype UEFI bootkit targeting specific Ubuntu Linux configurations, signaling a shift as hackers expand bootkit attacks beyond the Windows operating system.
Named Bootkitty, ESET notes that the bootkit represents an initial proof-of-concept rather than an active threat but warns of a new reality: “UEFI bootkits are no longer confined to Windows systems alone.”
In a research paper written by researchers Martin Smolár and Peter Strýček, ESET said Bootkitty is designed to disable kernel signature verification for the Linux kernel and its modules. It also patches key processes, including the GRUB bootloader and kernel decompression routines.
The bootkit, spotted when a previously unknown UEFI application, “bootkit.efi,” was uploaded to VirusTotal in November 2024, is designed to modify the Linux kernel to allow unsigned kernel modules to load, bypassing protections like UEFI Secure Boot.
ESET said numerous artifacts, including unused functions and hardcoded offsets, suggest Bootkitty is still in development and not yet deployed by active threat actors.
“The bootkit’s main goal is to disable the kernel’s signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup),” the researchers said.
During the investigation, the ESET team discovered a possibly related unsigned kernel module – with signs suggesting that it could have been developed by the same author(s) as the bootkit – that deploys an ELF binary responsible for loading yet another kernel module.
ESET said the related kernel module, named BCDropper, exhibits rootkit-like behavior, including file and process hiding, the deployment of a secondary payload that facilitates the loading of an additional unsigned kernel module during runtime.
However, the researchers note that the exact relationship between BCDropper and Bootkitty remains speculative but flagged signs of shared development suggesting a connection.
Over the years, UEFI bootkits have appeared in the wild, mostly targeting the Windows ecosystem. These include ESPecter, FinSpy and, more recently, BlackLotus, the first UEFI bootkit capable of bypassing UEFI Secure Boot on up-to-date systems.
Last July, the source code for BlackLotus was shared publicly on GitHub, albeit with several modifications compared to the original malware. Designed specifically for Windows, the bootkit emerged on hacker forums in October last year, being advertised with APT-level capabilities such as secure boot and user access control (UAC) bypass and the ability to disable security applications and defense mechanisms on victim systems.
After the discovery, Microsoft released resources to help threat hunters identify BlackLotus infections. The US National Security Agency (NSA) also published guidance to help organizations harden their systems against the threat.
UPDATE – Dec 2, 2024: SecurityWeek has learned that this bootkit is linked to a South Korean university project and contains an exploit for the LogoFAIL set of vulnerabilities.
Related: BlackLotus UEFI Bootkit Source Code Leaked on GitHub
Related: FinSpy Surveillance Spyware Fitted With UEFI Bootkit
Related: BlackLotus Bootkit Can Hit Fully Patched Windows 11 Systems
Related: Binarly Attracts $10.5M to Tackle Software Supply Chain Security
