Researchers Unveil “Bootkitty” — The First UEFI Bootkit Targeting Linux Kernels!

Cybersecurity researchers have made a groundbreaking discovery, revealing Bootkitty, the first-ever Unified Extensible Firmware Interface (UEFI) bootkit designed specifically for Linux systems. 🕵️♂️

Bootkitty, created by a hacker group known as BlackCat, is a proof-of-concept (PoC) malware, and as of now, there’s no evidence of it being used in real-world cyberattacks. 🦠 It was uploaded to the VirusTotal platform on November 5, 2024, and is also referred to as Iranukit.

The primary objective of Bootkitty is to disable Linux kernel signature verification and inject two unknown ELF binaries during the system startup process. This is done through the Linux init process, which is the first process triggered when the kernel boots up. 🚀🔓

This discovery marks a significant shift in the cyber threat landscape, highlighting that UEFI bootkits are no longer limited to Windows systems. Traditionally, UEFI bootkits were known to exploit Windows devices, but Bootkitty demonstrates that Linux is now a target as well. ⚠️

Bootkitty’s Key Features:

Self-Signed Certificate: The bootkit is signed using a self-signed certificate, meaning it can’t execute on systems with UEFI Secure Boot enabled unless the attacker has already installed a malicious certificate. 🏴☠️UEFI Hooking: Bootkitty hooks two functions from the UEFI authentication protocols to bypass Secure Boot and patch the system’s integrity verification process before the GRUB bootloader is executed. 🔧💡Bypassing Integrity Checks: It patches three functions within the legitimate GRUB bootloader to sidestep additional integrity verifications, ensuring the attacker has complete control. 🔐

In the course of their investigation, the Slovakian cybersecurity team discovered a related unsigned kernel module capable of deploying another ELF binary known as BCDropper. This component loads additional kernel modules, providing functionalities like hiding files, and processes and opening unauthorized ports. 😱

While there is no connection to the ALPHV/BlackCat ransomware group at this time, the research underscores the rootkit-like nature of Bootkitty, showcasing its potential to cause severe damage to Linux systems.

Whether it’s a proof of concept or not, Bootkitty represents a new frontier in the UEFI bootkit landscape, breaking the misconception that these threats are only aimed at Windows. As Linux systems continue to grow in use, this discovery serves as a reminder that cybersecurity teams must be ready to tackle evolving threats across all platforms. 🛡️

The emergence of sophisticated threats like Bootkitty emphasizes the need for robust penetration testing to identify vulnerabilities before cybercriminals can exploit them. At Wire Tor, we offer top-tier cybersecurity services to protect your systems from emerging threats like UEFI bootkits and more. Reach out today for expert analysis and protection! 🌐💻