Bootkitty: Analyzing The First Uefi Bootkit For Linux

Trending 4 months ago
  1. Home
  2. Cybersecurity
  3. Bootkitty: Analyzing The First Uefi Bootkit For Linux
ARTICLE AD BOX
UPDATE (December 2nd, 2024): The bootkit described successful this study seems to beryllium portion of a task created by cybersecurity students participating successful Korea's Best of nan Best (BoB) training program. As they informed us: "The superior purpose of this task is to raise consciousness wrong nan information organization astir imaginable risks and to promote proactive measures to forestall akin threats. Unfortunately, fewer bootkit samples were disclosed anterior to nan planned convention presentation." This supports our belief that it was an first impervious of conception alternatively than production-ready malware utilized by existent threat actors. Nonetheless, nan blog station remains meticulous – it is simply a functional bootkit pinch constricted support and represents nan first UEFI bootkit impervious of conception for Linux OS.

Over nan past fewer years, nan UEFI threat landscape, peculiarly that of UEFI bootkits, has evolved significantly. It each started pinch nan first UEFI bootkit impervious of conception (PoC) described by Andrea Allievi successful 2012, which served arsenic a objection of deploying bootkits connected modern UEFI-based Windows systems, and was followed pinch galore different PoCs (EfiGuard, Boot Backdoor, UEFI-bootkit). It took respective years until nan first 2 existent UEFI bootkits were discovered successful nan chaotic (ESPecter, 2021 ESET; FinSpy bootkit, 2021 Kaspersky), and it took 2 much years until nan infamous BlackLotus – nan first UEFI bootkit tin of bypassing UEFI Secure Boot connected up-to-date systems – appeared (2023, ESET).

A communal thread among these publically known bootkits was their exclusive targeting of Windows systems. Today, we unveil our latest discovery: nan first UEFI bootkit designed for Linux systems, named Bootkitty by its creators. We judge this bootkit is simply an first impervious of concept, and based connected our telemetry, it has not been deployed successful nan wild. That said, its beingness underscores an important message: UEFI bootkits are nary longer confined to Windows systems alone.

The bootkit’s main extremity is to disable nan kernel’s signature verification characteristic and to preload 2 arsenic yet chartless ELF binaries via nan Linux init process (which is nan first process executed by nan Linux kernel during strategy startup). During our analysis, we discovered a perchance related unsigned kernel module – pinch signs suggesting that it could person been developed by nan aforesaid author(s) arsenic nan bootkit – that deploys an ELF binary responsible for loading yet different kernel module chartless during our analysis.

Key points of this blogpost:

  • In November 2024, a antecedently chartless UEFI application, named bootkit.efi, was uploaded to VirusTotal.
  • Our first study confirmed it is simply a UEFI bootkit, named Bootkitty by its creators and amazingly nan first UEFI bootkit targeting Linux, specifically, a fewer Ubuntu versions.
  • Bootkitty is signed by a self-signed certificate, frankincense is not tin of moving connected systems pinch UEFI Secure Boot enabled unless nan attackers certificates person been installed.
  • Bootkitty is designed to footwear nan Linux kernel seamlessly, whether UEFI Secure Boot is enabled aliases not, arsenic it patches, successful memory, nan basal functions responsible for integrity verification earlier GRUB is executed.
  • bootkit.efi contains galore artifacts suggesting this is much for illustration a impervious of conception than nan activity of an progressive threat actor.
  • We discovered a perchance related kernel module, which we named BCDropper, that deploys an ELF programme responsible for loading different kernel module.

Bootkitty overview

As mentioned successful nan introduction, Bootkitty contains galore artifacts suggesting that we mightiness beryllium dealing pinch a impervious of conception alternatively of actively utilized malware. In this section, we look much intimately astatine these artifacts, positive different basal accusation astir nan bootkit.

Bootkitty contains 2 unused functions, tin of printing typical strings to nan surface during its execution. The first function, whose output is depicted successful Figure 1, tin people ASCII creation that we judge represents a imaginable sanction of nan bootkit: Bootkitty.

Figure 1. ASCII creation embedded successful nan bootkit Figure 1. ASCII creation embedded successful nan bootkit

The 2nd function, tin people text, shown successful Figure 2, containing nan database of imaginable bootkit authors and different persons that possibly someway participated successful its development. One of nan names mentioned successful nan image tin beryllium recovered connected GitHub, but nan floor plan does not person immoderate nationalist repository that would incorporate aliases mention a UEFI bootkit project; therefore, we tin neither corroborate nor contradict authenticity of nan names mentioned successful nan bootkit.

Figure 2. List of names embedded successful nan bootkit (redacted) Figure 2. List of names embedded successful nan bootkit (redacted)

During each boot, Bootkitty prints connected surface nan strings shown successful Figure 3.

Figure 3. Bootkitty’s invited message Figure 3. Bootkitty’s invited message

Note that nan BlackCat sanction is referenced besides successful nan loadable kernel module described later. Despite nan name, we judge location is nary relationship to nan ALPHV/BlackCat ransomware group. This is because BlackCat is simply a sanction utilized by researchers and Bootkitty was developed successful C, while nan group calls itself ALPHV and develops its malware exclusively successful Rust.

As mentioned earlier, Bootkitty presently supports only a constricted number of systems. The logic is that to find nan functions it wants to modify successful memory, it uses hardcoded byte patterns. While byte-pattern matching is simply a communal method erstwhile it comes to bootkits, nan authors didn’t usage nan champion patterns for covering aggregate kernel aliases GRUB versions; therefore, nan bootkit is afloat functional only for a constricted number of configurations. What limits nan usage of nan bootkit moreover much is nan measurement it patches nan decompressed Linux kernel: arsenic shown successful Figure 4, erstwhile nan kernel image is decompressed, Bootkitty simply copies nan malicious patches to nan hardcoded offsets wrong nan kernel image.

Figure 4. Bootkitty’s codification responsible for patching nan decompressed kernel earlier it is executed Figure 4. Bootkitty’s codification responsible for patching nan decompressed kernel earlier it is executed

We explicate really nan bootkit gets to nan existent kernel patching later successful nan Linux kernel image decompression hook section; for now, conscionable statement that owed to nan deficiency of kernel-version checks successful nan usability shown successful Figure 4, Bootkitty tin get to nan constituent wherever it patches wholly random codification aliases information astatine these hardcoded offsets, frankincense crashing nan strategy alternatively of compromising it. This is 1 of nan facts that supports impervious of concept. On nan different hand, it mightiness beryllium an first not-production-ready type of malware created by malicious threat actors.

Last but not least, nan bootkit binary is signed by nan self-signed certificate shown successful Figure 5.

Figure 5. Self-signed certificate utilized to motion nan bootkit Figure 5. Self-signed certificate utilized to motion nan bootkit

Techical analysis

We commencement pinch an overview of Bootkitty’s execution, arsenic depicted successful Figure 6. First, we concisely picture nan main functionality and past successful consequent sections we spell into much details.

There are 3 main parts we attraction on:

  • Execution of nan bootkit and patching of nan morganatic GRUB bootloader (points 4 and 5 successful Figure 6).
  • Patching of nan Linux kernel’s EFI stub loader (points 6 and 7 successful Figure 6).
  • Patching of nan decompressed Linux kernel image (points 8 and 9 successful Figure 6).
Figure 6. Bootkitty bootkit execution overview Figure 6. Bootkitty execution overview

Initialization and GRUB hooking

After Bootkitty is executed by nan shim, it checks to spot whether UEFI Secure Boot is enabled by examining nan worth of nan SecureBoot UEFI variable, and proceeds to hook 2 functions from nan UEFI authentication protocols if truthful (this process is shown successful Figure 7):

  • EFI_SECURITY2_ARCH_PROTOCOL.FileAuthentication: this function is utilized by nan firmware to measurement and verify nan integrity of UEFI PE images. Bootkitty’s hook usability modifies nan output of this usability truthful that it ever returns EFI_SUCCESS, meaning that nan verification succeeded.
  • EFI_SECURITY_ARCH_PROTOCOL.FileAuthenticationState: this function is utilized by nan firmware to execute a platform-specific argumentation successful consequence to different authentication position values. Again, nan bootkit’s hook modifies it successful a measurement that it ever returns EFI_SUCCESS, meaning that nan firmware tin usage nan record sloppy of its existent authentication status.
Figure 7. Hooking of nan UEFI information authentication protocols Figure 7. Hooking of nan UEFI information authentication protocols

After checking nan position of UEFI Secure Boot, Bootkitty proceeds to load nan morganatic GRUB from nan hardcoded way connected nan EFI strategy partition: /EFI/ubuntu/grubx64-real.efi. This record should beryllium a backup, created by nan attacker, of a morganatic GRUB. Once GRUB is loaded (not yet executed), nan bootkit starts patching and hooking nan pursuing codification successful GRUB’s memory:

  • The start_image usability wrong nan peimage GRUB module (a module embedded wrong GRUB). This usability is responsible for starting an already loaded PE image, and it’s invoked by GRUB to commencement nan Linux kernel’s EFI stub binary (known successful wide arsenic vmlinuz.efi aliases vmlinuz). The hook usability takes advantage of nan truth that astatine nan infinitesimal nan hook is executed, vmlinuz is already loaded into representation (but hasn’t been executed yet), and patches nan usability responsible for decompressing nan existent Linux kernel image wrong vmlinuz (note that successful immoderate cases, owed to nan measurement nan Linux kernel is compiled, it tin beryllium rather challenging to find nan nonstop sanction of nan usability being patched; however, we judge that this clip it should beryllium nan zstd_decompress_dctx function). More specifications astir nan decompression hook are successful the Linux kernel image decompression hook section.
  • The shim_lock_verifier_init function, which is portion of nan shim_lock verifier system wrong GRUB – this should beryllium activated automatically if UEFI Secure Boot is enabled. It is responsible for deciding whether nan files provided (e.g., GRUB modules, Linux kernel, configurations…) should beryllium verified aliases not during nan boot. The installed hook, however, is someway confusing and nan author’s intentions are unclear because it modifies shim_lock_verifier_init’s output successful a measurement that it sets nan output emblem to GRUB_VERIFY_FLAGS_SINGLE_CHUNK (value 2) for immoderate record type provided, which should, according to nan GRUB manual, fortify nan information moreover more. Interestingly, owed to nan hook described successful nan adjacent point, this shim_lock_verifier_init usability is not moreover called during nan boot, frankincense becoming irrelevant.
  • The grub_verifiers_open function. This usability is invoked by GRUB anytime it opens a file, and is responsible for checking whether nan installed GRUB record verifiers (this includes nan shim_lock verifier described above) require integrity verification for nan record being loaded. The usability is hooked by nan bootkit successful a measurement that it returns instantly without proceeding to immoderate signature checks (note that this intends that it does not moreover execute nan antecedently hooked shim_lock_verifier_init function).

Linux kernel image decompression hook

This hook is responsible for patching nan decompressed Linux kernel image. The hook is called correct earlier nan kernel image is decompressed, truthful nan hook restores nan original decompression function’s bytes and executes nan original usability to decompress nan kernel image earlier proceeding to nan kernel patching.

Now, arsenic nan kernel is decompressed and lies successful nan representation untouched (still hasn’t been executed), nan hook codification patches it astatine hardcoded offsets (in representation only). Specifically, arsenic shown successful Figure 8, it:

  • Rewrites nan kernel type and Linux banner strings pinch nan matter BoB13 (this has nary important effect connected nan system).
  • Hooks nan module_sig_check function.
  • Patches pointer/address to nan first situation adaptable of nan init process.
Figure 8. Bootkitty’s kernel-decompression hook wrong vmlinuz Figure 8. Bootkitty’s kernel-decompression hook wrong vmlinuz

The usability module_sig_check is patched to ever return 0. This usability is responsible for checking whether nan module is validly signed. By patching nan usability to return 0, nan kernel will load immoderate module without verifying nan signature. On Linux systems pinch UEFI Secure Boot enabled, kernel modules need to beryllium signed if they are meant to beryllium loaded. This is besides nan lawsuit erstwhile nan kernel is built pinch CONFIG_MODULE_SIG_FORCE enabled aliases erstwhile module.sig_enforce=1 is passed arsenic a kernel bid statement argument, arsenic described successful nan Linux kernel documentation. The apt script is that astatine slightest 1 malicious kernel module is loaded astatine a later phase, specified arsenic nan dropper analyzed below.

The first process that nan Linux kernel executes is init from nan first hardcoded way that useful (starting pinch /init from initramfs), on pinch bid statement arguments and situation variables. The hook codification replaces nan first situation adaptable pinch LD_PRELOAD=/opt/injector.so /init. LD_PRELOAD is an situation adaptable that is utilized to load ELF shared objects earlier others and tin beryllium utilized to override functions. It is simply a communal technique utilized by attackers to load malicious binaries. In this case, nan /opt/injector.so and /init ELF shared objects are loaded erstwhile nan init process starts. This is wherever nan volition becomes little clear, chiefly why nan 2nd drawstring /init is portion of LD_PRELOAD.

We person not discovered immoderate of these perchance malicious ELF shared objects, though conscionable arsenic this blogpost was being finalized for publication, a write-up describing nan missing components mentioned successful our study has been published. Now it’s clear they are utilized conscionable to load different stage.

Impact and remediation

Apart from loading chartless ELF shared objects, Bootkitty leaves footprints successful nan system. The first is nan intended, albeit not necessary, modification of kernel type and Linux banner strings. The erstwhile tin beryllium seen by moving uname -v (Figure 9) and nan second by moving dmesg (Figure 10).

Figure 9. BoB13 drawstring successful uname output Figure 9. BoB13 drawstring successful uname output Figure 10. BoB13 drawstring successful dmesg output Figure 10. BoB13 drawstring successful dmesg output

During our analysis, nan output of nan bid dmesg besides included specifications astir really nan init process was run. As depicted successful Figure 11, nan process was tally pinch nan LD_PRELOAD situation adaptable (it was primitively HOME=/ and was replaced pinch LD_PRELOAD=/opt/injector.so /init by nan bootkit).

Figure 11. init process arguments and situation variables successful dmesg output Figure 11. init process arguments and situation variables successful dmesg output

Note successful Figure 11 that nan connection /init successful nan first statement corresponds to nan morganatic programme successful initramfs that yet passes power to systemd connected default Ubuntu installations. The beingness of nan LD_PRELOAD situation adaptable tin besides beryllium verified by inspecting nan record /proc/1/environ.

After booting up a strategy pinch Bootkitty successful our testing environment, we noticed that nan kernel was marked arsenic tainted (command from Figure 12 tin beryllium utilized to cheque nan tainted value), which was not nan lawsuit erstwhile nan bootkit was absent. Another measurement to show whether nan bootkit is coming connected nan strategy pinch UEFI Secure Boot enabled is by attempting to load an unsigned dummy kernel module during runtime. If it’s present, nan module will beryllium loaded; if not – nan kernel refuses to load it.

Figure 12. Tainted authorities correct aft nan strategy has started pinch Bootkitty Figure 12. Tainted authorities correct aft nan strategy has started pinch Bootkitty

A elemental remedy extremity to get free of nan bootkit is to move nan morganatic /EFI/ubuntu/grubx64-real.efi record backmost to its original location, which is /EFI/ubuntu/grubx64.efi. This will make shim execute nan morganatic GRUB and frankincense nan strategy will footwear up without nan bootkit (note that this covers only nan script erstwhile nan bootkit is deployed arsenic /EFI/ubuntu/grubx64.efi).

BCDropper and BCObserver

In summation to nan bootkit, we discovered a perchance related unsigned kernel module we named BCDropper, uploaded to VirusTotal astir nan aforesaid clip and by nan aforesaid submitter’s ID arsenic nan bootkit, containing hints that it mightiness person been developed by nan aforesaid writer arsenic nan bootkit, specified as:

  • a BlackCat drawstring successful nan output of nan modinfo command’s output, shown successful Figure 13,
  • another beingness of nan blackcat drawstring successful nan debug paths successful nan module’s binary, shown successful Figure 14, and
  • it contains an unused file-hiding usability that hides circumstantial entries from directory listings. As shown successful Figure 15, 1 of nan hardcoded filename drawstring prefixes utilized to filter-out these entries is injector (note that Bootkitty tries to preload a shared-library from nan way /opt/injector.so)

However, moreover pinch nan grounds presented, we cannot opportunity for judge whether aliases not nan kernel module is related to Bootkitty (or was created by nan aforesaid developer). Also, nan kernel type mentioned successful Figure 13 (6.8.0-48-generic) is not supported by nan bootkit.

Figure 13. Dropper module information Figure 13. Dropper module information Figure 14. Dropper debug symbols referencing blackcat Figure 14. Dropper debug symbols referencing blackcat Figure 15. List of files, successful nan dropper, to hide Figure 15. List of files, successful nan dropper, to hide

As its sanction suggests, nan kernel module drops an embedded ELF record we named BCObserver, specifically to /opt/observer, and executes it via /bin/bash (Figure 17). On apical of that, nan module hides itself by removing its introduction from nan module list. The kernel module besides implements different rootkit-related functionalities for illustration hiding files (those successful Figure 15), processes, and unfastened ports, but they are not straight utilized by nan dropper.

Figure 16. Hex-Rays decompiled dropper code Figure 16. Hex-Rays decompiled dropper code

BCObserver is simply a alternatively elemental exertion that waits until nan show head gdm3 is running, and past loads an chartless kernel module from /opt/rootkit_loader.ko via nan finit_module strategy call. By waiting for nan show head to start, nan codification ensures that nan kernel module is loaded aft nan strategy is afloat booted up.

Figure 17. Hex-Rays decompiled perceiver code Figure 17. Hex-Rays decompiled perceiver code

While we cannot corroborate whether nan dropper is someway related to nan bootkit, and if so, really it is meant to beryllium executed, we’re rather judge that nan bootkit patches nan module_sig_check usability for a reason, and loading an unsigned kernel module (such arsenic nan dropper described here) would decidedly make sense.

Conclusion

Whether a impervious of conception aliases not, Bootkitty marks an absorbing move guardant successful nan UEFI threat landscape, breaking nan belief astir modern UEFI bootkits being Windows-exclusive threats. Even though nan existent type from VirusTotal does not, astatine nan moment, correspond a existent threat to nan mostly of Linux systems, it emphasizes nan necessity of being prepared for imaginable early threats.

To support your Linux systems safe from specified threats, make judge that UEFI Secure Boot is enabled, your strategy firmware and OS are up-to-date, and truthful is your UEFI revocations list.

For immoderate inquiries astir our investigation published connected WeLiveSecurity, please interaction america astatine threatintel@eset.com. 

ESET Research offers backstage APT intelligence reports and information feeds. For immoderate inquiries astir this service, sojourn nan ESET Threat Intelligence page.

IoCs

A broad database of indicators of discuss (IoCs) and samples tin beryllium recovered successful our GitHub repository.

Files

SHA-1 Filename Detection Description
35ADF3AED60440DA7B80F3C452047079E54364C1 bootkit.efi EFI/Agent.A Bootkitty UEFI bootkit.
BDDF2A7B3152942D3A829E63C03C7427F038B86D dropper.ko Linux/Rootkit.Agent.FM BCDropper.
E8AF4ED17F293665136E17612D856FA62F96702D observer Linux/Rootkit.Agent.FM BCObserver.

MITRE ATT&CK techniques

This array was built utilizing version 16 of nan MITRE ATT&CK framework.

Tactic ID Name Description
Resource Development T1587.001 Develop Capabilities: Malware Bootkitty is simply a brand-new UEFI bootkit developed by an chartless author.
T1587.002 Develop Capabilities: Code Signing Certificates Bootkitty sample is signed pinch a self-signed certificate.
Execution T1106 Native API BCObserver uses nan finit_module strategy telephone to load a kernel module.
T1129 Shared Modules Bootkitty uses LD_PRELOAD to preload shared modules from a hardcoded way into nan init process during strategy start.
Persistence T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking Bootkitty patches init’s situation adaptable pinch LD_PRELOAD truthful it loads a adjacent shape erstwhile executed.
T1542.003 Pre-OS Boot: Bootkit Bootkitty is simply a UEFI bootkit meant to beryllium deployed connected nan EFI System Partition.
Defense Evasion T1014 Rootkit BCDropper serves arsenic a rootkit implemented arsenic a loadable kernel module for Linux systems.
T1562 Impair Defenses Bootkitty disables signature verification features successful nan GRUB bootloader and Linux kernel.
T1564 Hide Artifacts BCDropper hides itself by removing its module’s introduction from nan kernel’s modules list.

More

Related Article

North Korean Hackers Use Fake Crypto Firms In Job Malware Scam

North Korean Hackers Use Fake Crypto Firms In Job Malware Scam

39 minutes ago 0
Backdoor Found In Official Xrp Ledger Npm Package

Backdoor Found In Official Xrp Ledger Npm Package

16 hours ago 16
Blue Shield Leaked Millions Of Patient Info To Google For Years

Blue Shield Leaked Millions Of Patient Info To Google For Years

19 hours ago 16
RIGHT SIDEBAR TOP AD

Popular Article

Meet Rowboat: An Open-source Ide For Building Complex Multi-agent Systems

Meet Rowboat: An Open-source Ide For Building Complex Multi-agent Systems

18 hours ago 26
Openai Launches Gpt-image-1 Api: Bringing High-quality Image Generation To Developers

Openai Launches Gpt-image-1 Api: Bringing High-quality Image Generation To Developers

18 hours ago 24
Jim Szyperski, Ceo, Acuity Behavioral Health – Interview Series

Jim Szyperski, Ceo, Acuity Behavioral Health – Interview Series

19 hours ago 21
Meta Ai Releases Web-ssl: A Scalable And Language-free Approach To Visual Representation Learning

Meta Ai Releases Web-ssl: A Scalable And Language-free Approach To Visual Representation Learning

15 hours ago 21
Ai Inference At Scale: Exploring Nvidia Dynamo’s High-performance Architecture

Ai Inference At Scale: Exploring Nvidia Dynamo’s High-performance Architecture

22 hours ago 18
RIGHT SIDEBAR BOTTOM AD
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions ·

©2025 aquaX.
All Rights Reserved.