Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Prototype UEFI Bootkit is South Korean University Project; LogoFAIL Exploit Discovered

The ‘Bootkitty’ prototype UEFI bootkit contains an exploit for LogoFAIL and was created in a South Korea university program.

UEFI vulnerability

The discovery of a prototype UEFI bootkit targeting specific Ubuntu Linux setups has deepened with revelations linking its creation to a South Korean university project and the integration of a LogoFAIL exploit to bypass Secure Boot verifications.

According to SecurityWeek sources, Bootkitty is a research project from South Korea’s BoB (“Best of the Best”) academic program that provides training to cybersecurity talent. 

The BoB program is part of the South Korea Information Technology Research Institute and affiliated to the country’s organization of the Ministry of Trade, Industry and Energy.

The bootkit, discovered by ESET after samples were uploaded to VirusTotal, was created by the university researchers to demonstrate real-world security risks below the operating system.  The university could not be reached for comment.

Separately, firmware security experts at Binarly discovered an exploit for the LogoFAIL series of vulnerabilities integrated into the Bootkitty code to bypass Secure Boot protections.

Binarly said the bootkit exploits CVE-2023-40238, a vulnerability tied to Binarly’s original LogoFAIL findings from last December. 

“By leveraging flaws in image parsing during system boot, attackers have developed a sophisticated mechanism to bypass Secure Boot protection,” the Los Angeles company explained.

Specifically, Bootkitty uses a manipulated BMP file named logofail.bmp to execute malicious shellcode and inject rogue certificates into UEFI variables, effectively ensuring the malware is trusted during the boot process.

Advertisement. Scroll to continue reading.

Binarly documented the exploit to show how a tampered BMP file (logofail.bmp) was designed to embed malicious shellcode that targets UEFI firmware’s image parsing routines.

The company said the exploit manipulates the MokList variable, bypassing Secure Boot’s verification process and allowing malicious bootloaders to run unchecked.

Vulnerable devices include models from Lenovo, Acer, HP, and Fujitsu, with evidence suggesting the malware prototype is tailored to specific hardware configurations.
The experimental UEFI bootkit is proof that attackers can easily expand bootkit attacks beyond the Windows operating system by disabling kernel signature verification for the Linux kernel and its modules. 

First spotted when a previously unknown UEFI application, “bootkit.efi,” was uploaded to VirusTotal in November 2024, ESET said numerous artifacts, including unused functions and hardcoded offsets, suggest Bootkitty is still in development and not an active threat.

Over the years, UEFI bootkits have appeared in the wild, mostly targeting the Windows ecosystem.  These include ESPecter, FinSpy and, more recently, BlackLotus, the first UEFI bootkit capable of bypassing UEFI Secure Boot on up-to-date systems.

Last July, the source code for BlackLotus was shared publicly on GitHub, albeit with several modifications compared to the original malware. Designed specifically for Windows, the bootkit emerged on hacker forums in October last year, being advertised with APT-level capabilities such as secure boot and user access control (UAC) bypass and the ability to disable security applications and defense mechanisms on victim systems.

Related: ESET Flags Prototype UEFI Bootkit Targeting Linux

Related: LogoFAIL: Millions of Devices Exposed to Attacks

Related: NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections

Related: BlackLotus Bootkit Can Target Fully Patched Windows 11 Systems

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.