Full Report
ESET researchers analyze the first UEFI bootkit designed for Linux systems
Analysis Summary
# Tool/Technique: Bootkitty
## Overview
Bootkitty is a proof-of-concept (PoC) UEFI bootkit specifically designed to target Linux operating systems, primarily certain Ubuntu versions. Its main objective is to disable kernel signature verification features and subsequently preload two unknown ELF binaries via the Linux `init` process during system startup. It is notably the first UEFI bootkit discovered targeting Linux.
## Technical Details
- Type: Malware family (UEFI Bootkit)
- Platform: Linux (specifically mentioned targeting Ubuntu versions)
- Capabilities: UEFI firmware manipulation, disabling kernel integrity checks, preloading ELF binaries via the `init` process.
- First Seen: Uploaded to VirusTotal in November 2024.
## MITRE ATT&CK Mapping
- **Resource Development**
- T1587 - Develop Capabilities
- T1587.001 - Develop Capabilities: Malware
- T1587.002 - Develop Capabilities: Code Signing Certificates (Uses a self-signed certificate)
- **Execution**
- T1106 - Native API (BCDropper uses `finit_module` system call)
- T1129 - Shared Modules (Uses `LD_PRELOAD` to inject code into `init`)
- **Persistence**
- T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking (Patches `init` environment with `LD_PRELOAD`)
- T1542.003 - Pre-OS Boot: Bootkit (Intended to reside on the EFI System Partition)
- **Defense Evasion**
- T1014 - Rootkit (BCDropper functions as a Linux Loadable Kernel Module Rootkit)
- T1562 - Impair Defenses (Disables signature verification in GRUB and Linux kernel)
- T1564 - Hide Artifacts (BCDropper hides itself by removing its module from the kernel modules list)
## Functionality
### Core Capabilities
- **UEFI Bootkit Installation:** Designed to be deployed on the EFI System Partition.
- **Integrity Bypass:** Patches necessary integrity verification functions in memory before the GRUB bootloader executes, allowing it to boot the Linux kernel regardless of UEFI Secure Boot status (unless the attacker's certificate is not installed).
- **Payload Delivery:** Aims to preload ELF binaries by manipulating the Linux `init` process via dynamic linker hijacking.
### Advanced Features
- **Self-Signed Certificate:** The main component (`bootkit.efi`) is signed with a self-signed certificate.
- **Related Kernel Module (BCDropper/dropper.ko):** A possibly related kernel module acts as a rootkit, deploying an ELF binary capable of loading another unknown kernel module.
- **Module Hiding:** The BCDropper module hides its presence by unlinking itself from the kernel's modules list.
- **Code Artifacts:** Contains embedded ASCII art potentially representing the name "Bootkitty" and a list of names potentially linked to its development.
## Indicators of Compromise
- File Hashes:
- SHA-1: `35ADF3AED60440DA7B80F3C452047079E54364C1` (bootkit.efi)
- SHA-1: `BDDF2A7B3152942D3A829E63C03C7427F038B86D` (dropper.ko)
- SHA-1: `E8AF4ED17F293665136E17612D856FA62F96702D` (observer/BCObserver)
- File Names:
- `bootkit.efi`
- `dropper.ko` (BCDropper)
- `observer` (BCObserver)
- Registry Keys: N/A (Linux/UEFI scope)
- Network Indicators: Not explicitly detailed in the context provided.
- Behavioral Indicators:
- Patching memory functions related to kernel integrity checks.
- Modifying the environment variable of the `init` process using `LD_PRELOAD` to point to a hardcoded path for module loading.
- Use of the `finit_module` system call by BCDropper.
## Associated Threat Actors
The bootkit appears to be an initial proof of concept created by cybersecurity students participating in Korea's Best of the Best (BoB) training program, rather than malware used by known production threat actors. However, it references "BlackCat" in messages, though researchers believe there is no link to the ALPHV/BlackCat ransomware group.
## Detection Methods
- Signature-based detection (File hashes listed above).
- Behavioral detection: Monitoring for memory patching of firmware/kernel integrity functions during the boot process; monitoring for modifications to the `init` environment variables (`LD_PRELOAD`); monitoring for `finit_module` usage by unexpected processes.
- YARA rules: Not provided in the context.
## Mitigation Strategies
- **UEFI Secure Boot:** Although Bootkitty attempts to operate despite Secure Boot, systems should strictly enforce Secure Boot, ensuring only trusted, vendor-signed, or manually authorized certificates are accepted.
- **Firmware/Partition Trust:** Regularly audit the contents of the EFI System Partition (ESP) for unrecognized or modified `.efi` files.
- **Kernel Integrity:** Implement robust integrity checks on the running kernel, although the bootkit aims to disable these low-level checks.
- **Modular Integrity Checks:** Monitor kernel module loading activity closely, especially the loading of Modules (e.g., `.ko` files) that attempt to hide themselves (e.g., unlink from the module list).
## Related Tools/Techniques
- **Historical UEFI PoCs:** Andrea Allievi's 2012 PoC, EfiGuard, Boot Backdoor, UEFI-Bootkit.
- **In-the-Wild UEFI Bootkits:** ESPecter, FinSpy bootkit, BlackLotus.
- **Related Components:** BCDropper (Rootkit KMod), BCObserver (ELF binary loader).