Full Report
Bootkitty, the first Linux-targeting UEFI bootkit, bypassed kernel security in a proof-of-concept attack
Analysis Summary
# Tool/Technique: Bootkitty
## Overview
Bootkitty is a newly discovered UEFI bootkit specifically designed to target **Linux systems**. It is believed to be an early-stage proof of concept rather than fully operational malware, marking a shift in UEFI threat focus which has historically centered on Windows. Its primary goal is persistence and execution control before the operating system fully loads.
## Technical Details
- Type: Malware (Bootkit)
- Platform: Linux systems (specifically targets certain Ubuntu configurations)
- Capabilities: Disables kernel integrity verification, patches kernel functions in memory, loads unknown ELF binaries, bypasses security checks.
- First Seen: Uploaded to VirusTotal in November 2024.
## MITRE ATT&CK Mapping
Based on the described functionality:
- **TA0003 - Persistence**
- **T1542 - Presence of Existing Code**
- **T1542.003 - Boot or Logon Autostart Execution: Bootkit**
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Implied through modification/patching to hide malicious activity)
- **T1055 - Process Injection** (Evidenced by patching kernel decompression processes and hooking functions in memory)
## Functionality
### Core Capabilities
- **UEFI Infection:** Infects systems via weaknesses exploited through the firmware level.
- **Kernel Patching:** Patches critical kernel functions in memory during the decompression process to disable integrity checks (like signature verification).
- **Unsigned Module Loading:** Allows the loading of unauthorized ELF binaries by subverting security mechanisms early in the boot sequence.
- **Security Bypass:** Specifically designed to circumvent UEFI Secure Boot *unless* the attacker has successfully installed their own certificates.
### Advanced Features
- Hooks critical components such as **GRUB bootloader functions**.
- Hooks **Linux kernel decompression processes**.
- Utilizes a **self-signed certificate** for its malicious code signature (making it detectable by standard Secure Boot unless overridden).
- Contains **hardcoded patterns for specific kernel versions**, limiting its immediate applicability.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes not provided in the context)
- File Names: N/A (Specific names not provided in the context, though related dropper/observer are **BCDropper** and **BCObserver**.)
- Registry Keys: N/A (Not relevant for Linux UEFI modification, though firmware variables might be altered.)
- Network Indicators: N/A (No C2 activity mentioned for this PoC component.)
- Behavioral Indicators: Modification of kernel integrity verification routines; hooks observed on GRUB functions and kernel decompression routines.
## Associated Threat Actors
Evidence suggests Bootkitty **may not be linked to active threat actors** currently, appearing to be a proof of concept created by its discoverers/researchers.
## Detection Methods
- Signature-based detection: Detection is possible based on the unique self-signed certificate used for signing the malware.
- Behavioral detection: Monitoring unauthorized attempts to patch kernel functions in memory or hook GRUB/kernel decompression stages.
- YARA rules: N/A (No specific rules provided, but rules targeting known kernel modification behaviors would apply.)
## Mitigation Strategies
- **Enable UEFI Secure Boot:** This is the primary defense, though it must be properly configured and not rely on a compromised/trusted state due to the self-signed certificate.
- **Update Systems:** Ensure system firmware (UEFI/BIOS) and the Operating System (Linux/Ubuntu) are consistently updated.
- **Maintain UEFI Revocation Lists:** Keep revocation lists current to invalidate compromised firmware keys.
## Related Tools/Techniques
- **BCDropper:** An unsigned kernel module potentially related to Bootkitty, which deploys **BCObserver**.
- **BCObserver:** A simple ELF program deployed by BCDropper that monitors the system and loads further kernel modules after the desktop environment starts.
- Other UEFI bootkits (historically focused on Windows).