The discovery of a prototype UEFI bootkit targeting specific Ubuntu Linux setups has deepened with revelations linking its creation to a South Korean university project and the integration of a LogoFAIL exploit to bypass Secure Boot verifications.
According to SecurityWeek sources, Bootkitty is a research project from South Korea’s BoB (“Best of the Best”) academic program that provides training to cybersecurity talent.
The BoB program is part of the South Korea Information Technology Research Institute and affiliated to the country’s organization of the Ministry of Trade, Industry and Energy.
The bootkit, discovered by ESET after samples were uploaded to VirusTotal, was created by the university researchers to demonstrate real-world security risks below the operating system. The university could not be reached for comment.
Separately, firmware security experts at Binarly discovered an exploit for the LogoFAIL series of vulnerabilities integrated into the Bootkitty code to bypass Secure Boot protections.
Binarly said the bootkit exploits CVE-2023-40238, a vulnerability tied to Binarly’s original LogoFAIL findings from last December.
“By leveraging flaws in image parsing during system boot, attackers have developed a sophisticated mechanism to bypass Secure Boot protection,” the Los Angeles company explained.
Specifically, Bootkitty uses a manipulated BMP file named logofail.bmp to execute malicious shellcode and inject rogue certificates into UEFI variables, effectively ensuring the malware is trusted during the boot process.
Binarly documented the exploit to show how a tampered BMP file (logofail.bmp) was designed to embed malicious shellcode that targets UEFI firmware’s image parsing routines.
The company said the exploit manipulates the MokList variable, bypassing Secure Boot’s verification process and allowing malicious bootloaders to run unchecked.
Vulnerable devices include models from Lenovo, Acer, HP, and Fujitsu, with evidence suggesting the malware prototype is tailored to specific hardware configurations.
The experimental UEFI bootkit is proof that attackers can easily expand bootkit attacks beyond the Windows operating system by disabling kernel signature verification for the Linux kernel and its modules.
First spotted when a previously unknown UEFI application, “bootkit.efi,” was uploaded to VirusTotal in November 2024, ESET said numerous artifacts, including unused functions and hardcoded offsets, suggest Bootkitty is still in development and not an active threat.
Over the years, UEFI bootkits have appeared in the wild, mostly targeting the Windows ecosystem. These include ESPecter, FinSpy and, more recently, BlackLotus, the first UEFI bootkit capable of bypassing UEFI Secure Boot on up-to-date systems.
Last July, the source code for BlackLotus was shared publicly on GitHub, albeit with several modifications compared to the original malware. Designed specifically for Windows, the bootkit emerged on hacker forums in October last year, being advertised with APT-level capabilities such as secure boot and user access control (UAC) bypass and the ability to disable security applications and defense mechanisms on victim systems.
Related: ESET Flags Prototype UEFI Bootkit Targeting Linux
Related: LogoFAIL: Millions of Devices Exposed to Attacks
Related: NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections
Related: BlackLotus Bootkit Can Target Fully Patched Windows 11 Systems