CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

ESET Flags Prototype UEFI Bootkit Targeting Linux

ESET warns of a new reality: “UEFI bootkits are no longer confined to Windows systems alone.”

UEFI vulnerability

Malware hunters at ESET on Wednesday documented the discovery of a prototype UEFI bootkit targeting specific Ubuntu Linux configurations, signaling a shift as hackers expand bootkit attacks beyond the Windows operating system.

Named Bootkitty, ESET notes that the bootkit represents an initial proof-of-concept rather than an active threat but warns of a new reality: “UEFI bootkits are no longer confined to Windows systems alone.”

In a research paper written by researchers Martin Smolár and Peter Strýček, ESET said Bootkitty is designed to disable kernel signature verification for the Linux kernel and its modules. It also patches key processes, including the GRUB bootloader and kernel decompression routines.

The bootkit, spotted when a previously unknown UEFI application, “bootkit.efi,” was uploaded to VirusTotal in November 2024, is designed to modify the Linux kernel to allow unsigned kernel modules to load, bypassing protections like UEFI Secure Boot.

ESET said numerous artifacts, including unused functions and hardcoded offsets, suggest Bootkitty is still in development and not yet deployed by active threat actors.

“The bootkit’s main goal is to disable the kernel’s signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup),” the researchers said.

During the investigation, the ESET team discovered a possibly related unsigned kernel module – with signs suggesting that it could have been developed by the same author(s) as the bootkit – that deploys an ELF binary responsible for loading yet another kernel module.

ESET said the related kernel module, named BCDropper, exhibits rootkit-like behavior, including file and process hiding, the deployment of a secondary payload that facilitates the loading of an additional unsigned kernel module during runtime.

Advertisement. Scroll to continue reading.

However, the researchers note that the exact relationship between BCDropper and Bootkitty remains speculative but flagged signs of shared development suggesting a connection.

Over the years, UEFI bootkits have appeared in the wild, mostly targeting the Windows ecosystem.  These include ESPecter, FinSpy and, more recently, BlackLotus, the first UEFI bootkit capable of bypassing UEFI Secure Boot on up-to-date systems.

Last July, the source code for BlackLotus was shared publicly on GitHub, albeit with several modifications compared to the original malware. Designed specifically for Windows, the bootkit emerged on hacker forums in October last year, being advertised with APT-level capabilities such as secure boot and user access control (UAC) bypass and the ability to disable security applications and defense mechanisms on victim systems.

After the discovery, Microsoft released resources to help threat hunters identify BlackLotus infections. The US National Security Agency (NSA) also published guidance to help organizations harden their systems against the threat.

UPDATE – Dec 2, 2024: SecurityWeek has learned that this bootkit is linked to a South Korean university project and contains an exploit for the LogoFAIL set of vulnerabilities.

Related: BlackLotus UEFI Bootkit Source Code Leaked on GitHub

Related: FinSpy Surveillance Spyware Fitted With UEFI Bootkit

Related: BlackLotus Bootkit Can Hit Fully Patched Windows 11 Systems

Related: Binarly Attracts $10.5M to Tackle Software Supply Chain Security

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.