Cybersecurity researchers have make clear what has been described as the primary Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux programs.
Dubbed Bootkitty by its creators who go by the title BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there’s no proof that it has been put to make use of in real-world assaults. Additionally tracked as IranuKit, it was uploaded to the VirusTotal platform on November 5, 2024.
“The bootkit’s main goal is to disable the kernel’s signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup),” ESET researchers Martin Smolár and Peter Strýček mentioned.
The event is critical because it heralds a shift within the cyber risk panorama the place UEFI bootkits are now not confined to Home windows programs alone.
It is value noting that Bootkitty is signed by a self-signed certificates, and due to this fact can’t be executed on programs with UEFI Safe Boot enabled until an attacker-controlled certificates has been already put in.
Whatever the UEFI Safe Boot standing, the bootkit is principally engineered as well the Linux kernel and patch, in reminiscence, the operate’s response for integrity verification earlier than GNU GRand Unified Bootloader (GRUB) is executed.
Particularly, it proceeds to hook two features from the UEFI authentication protocols if Safe Boot is enabled in such a approach that UEFI integrity checks are bypassed. Subsequently, it additionally patches three completely different features within the legit GRUB boot loader to sidestep different integrity verifications.
The Slovakian cybersecurity firm mentioned its investigation into the bootkit additionally led to the invention of a probable associated unsigned kernel module that is able to deploying an ELF binary dubbed BCDropper that hundreds one other as-yet-unknown kernel module after a system begin.
The kernel module, additionally that includes BlackCat because the writer’s title, implements different rootkit-related functionalities like hiding information, processes, and opening ports. There isn’t any proof to recommend a connection to the ALPHV/BlackCat ransomware group at this stage.
“Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,” the researchers mentioned, including “it emphasizes the necessity of being prepared for potential future threats.”
