Full Report
ESET researchers make a discovery that signals a shift on the UEFI threat landscape and underscores the need for vigilance against future threats
Analysis Summary
# Tool/Technique: Bootkitty
## Overview
Bootkitty is the first identified UEFI (Unified Extensible Firmware Interface) bootkit specifically designed for Linux systems. Although currently believed to be a proof of concept (PoC) and not yet deployed in real-world attacks, its discovery signifies a major shift in the threat landscape, demonstrating that UEFI bootkits are expanding beyond Windows targets.
## Technical Details
- Type: Malware family (UEFI Bootkit)
- Platform: Linux systems (UEFI-enabled firmware)
- Capabilities: Compromising the boot process via UEFI firmware manipulation.
- First Seen: Discovery announced around November 27, 2024.
## MITRE ATT&CK Mapping
Since Bootkitty targets the firmware boot process, the most relevant mappings revolve around initial access and execution at the lowest system layers, although specific public mappings for this Linux-focused UEFI implant are nascent.
- **TA0002 - Execution**
- T1542 - Pre-compromise
- T1542.001 - System Firmware
- **TA0005 - Defense Evasion**
- T1542 - Pre-compromise
- T1542.001 - System Firmware
## Functionality
### Core Capabilities
- Infecting and modifying the UEFI firmware to execute malicious code before the operating system (Linux) loads.
- Establishing persistence at the firmware level, surviving OS reinstalls and traditional endpoint protection.
### Advanced Features
- **Platform Specificity:** Uniquely targeting Linux UEFI systems, contrasting with the historically Windows-centric nature of known UEFI firmware attacks.
- **Root of Trust Subversion:** Operating beneath the operating system, making detection by standard security software extremely difficult.
## Indicators of Compromise
*(The provided context describes the tool's existence and nature but does not list specific IOCs like hashes, file names, or C2 infrastructure. These would need to be derived from the full technical blog post.)*
- File Hashes: [Not detailed in context]
- File Names: [Not detailed in context]
- Registry Keys: [Not applicable/detailed]
- Network Indicators: [Not detailed in context]
- Behavioral Indicators: Execution occurring during the initial firmware initialization phase of the boot process.
## Associated Threat Actors
- [Not explicitly detailed in context, as it is described as a PoC discovery by ESET researchers.]
## Detection Methods
*(Specific detection methods are likely detailed in the linked ESET research blog, but based only on the summary:)*
- Signature-based detection: Difficult due to firmware location.
- Behavioral detection: Monitoring firmware integrity checks and unusual pre-OS loading activities.
- YARA rules: [Not available in context]
## Mitigation Strategies
- Secure Boot enforcement (though this can sometimes be bypassed by advanced firmware malware).
- Regular firmware integrity checks.
- Utilizing hardware Root of Trust mechanisms (if available on the system).
- Ensuring BIOS/UEFI passwords and physical security to prevent unauthorized firmware modification.
## Related Tools/Techniques
- Previous UEFI-based threats targeting Windows (e.g., LoJax, MoonBounce, CosmicStrand).
- General firmware manipulation and infection techniques.