Bootkitty contains numerous elements that suggest it is a proof of concept and not a concrete threat. However, it certifies that bootkits are no longer limited to Windows systems
Researchers of ESET, a global European leader in the cybersecurity market, have discovered the first UEFI bootkit designed for Linux systems, named Bootkitty by its creators. ESET believes this bootkit is likely an early proof of concept and, based on telemetry, has not yet been actively deployed. However, it represents the first evidence that UEFI bootkits are no longer limited to Windows systems. The main goal of the bootkit is to disable the kernel's signature verification feature and preload two as yet unknown ELF binaries via Linux's "init" process, which is the first process the kernel executes during system startup.
The previously unknown UEFI application, named bootkit.efi, has been uploaded to VirusTotal. Bootkitty is signed with a self-generated certificate, making it incompatible with systems that have UEFI Secure Boot enabled by default. However, it is designed to boot the Linux kernel without problems, regardless of the state of UEFI Secure Boot, because it modifies in memory the functions necessary for integrity verification.
The bootkit is an advanced rootkit, capable of replacing the boot loader and altering the kernel before its execution. Bootkitty allows the attacker to gain full control of the compromised machine by injecting itself into the boot process and executing malware before the operating system boots.
During the analysis, ESET identified a possibly related unsigned kernel module, which it named BCDropper. The evidence gathered suggests that it may have been developed by the same authors as Bootkitty. This module deploys an ELF binary responsible for loading another kernel module that was not yet identified at the time of analysis.
“Bootkitty contains numerous elements that suggest that, at the state of the art, it is a proof of concept and not an already widespread threat. However, even if the version present on VirusTotal does not currently pose a real threat to most Linux systems, as it can only affect some versions of Ubuntu, it highlights the importance of preparing for potential future threats,” explains Martin Smolár, researcher from ESET who analyzed Bootkitty. “To protect Linux systems from these threats, you need to ensure that UEFI Secure Boot is enabled, your firmware, security software and operating system are up to date, as well as your UEFI revocation list,” he adds.
During tests conducted in ESET's test environment, researchers observed that the kernel was marked as "tainted", which was not the case in the absence of the bootkit. Another method to check for the presence of the bootkit on a system with UEFI Secure Boot enabled is to attempt to load an unsigned kernel module at runtime. If the bootkit is present, the module will be loaded; otherwise, the kernel will refuse to do it. A simple solution to remove the bootkit, if it was distributed as /EFI/ubuntu/grubx64.efi, is to move the legitimate /EFI/ubuntu/grubx64-real.efi file to its original location, which is /EFI/ubuntu/ grubx64.efi.
In recent years, the UEFI threat landscape, particularly bootkits, has evolved significantly. It all started with the first proof of concept of a UEFI bootkit described by Andrea Allievi in 2012, which demonstrated the possibility of deploying bootkits on modern UEFI-based Windows systems, followed by many other PoCs (EfiGuard, Boot Backdoor, UEFI-bootkit ). It took several years to observe the first two real UEFI bootkits discovered (one of which, ESPecter, was spotted by ESET in 2021) and another two years before the infamous BlackLotus appeared – the first UEFI bootkit capable of bypassing UEFI Secure Boot on updated systems, discovered by ESET in 2023. A common element among these bootkits was their exclusive targeting towards Windows systems.
