Cybersecurity researchers have make clear what has been described as the primary Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux methods.
Dubbed Bootkitty by its creators who go by the title BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there’s no proof that it has been put to make use of in real-world assaults. Additionally tracked as IranuKit, it was uploaded to the VirusTotal platform on November 5, 2024.
“The bootkit’s predominant objective is to disable the kernel’s signature verification function and to preload two as but unknown ELF binaries by way of the Linux init course of (which is the primary course of executed by the Linux kernel throughout system startup),” ESET researchers Martin Smolár and Peter Strýček mentioned.
The event is important because it heralds a shift within the cyber menace panorama the place UEFI bootkits are now not confined to Home windows methods alone.
It is price noting that Bootkitty is signed by a self-signed certificates, and subsequently can’t be executed on methods with UEFI Safe Boot enabled until an attacker-controlled certificates has been already put in.
Whatever the UEFI Safe Boot standing, the bootkit is principally engineered in addition the Linux kernel and patch, in reminiscence, the operate’s response for integrity verification earlier than GNU GRand Unified Bootloader (GRUB) is executed.
Particularly, it proceeds to hook two capabilities from the UEFI authentication protocols if Safe Boot is enabled in such a method that UEFI integrity checks are bypassed. Subsequently, it additionally patches three completely different capabilities within the professional GRUB boot loader to sidestep different integrity verifications.
The Slovakian cybersecurity firm mentioned its investigation into the bootkit additionally led to the invention of a possible associated unsigned kernel module that is able to deploying an ELF binary dubbed BCDropper that masses one other as-yet-unknown kernel module after a system begin.
The kernel module, additionally that includes BlackCat because the creator’s title, implements different rootkit-related functionalities like hiding recordsdata, processes, and opening ports. There isn’t any proof to recommend a connection to the ALPHV/BlackCat ransomware group at this stage.
“Whether or not a proof of idea or not, Bootkitty marks an attention-grabbing transfer ahead within the UEFI menace panorama, breaking the idea about trendy UEFI bootkits being Home windows-exclusive threats,” the researchers mentioned, including “it emphasizes the need of being ready for potential future threats.”