Full Report
Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit, it was uploaded
Analysis Summary
# Main Topic
Discovery of Bootkitty (also tracked as IranuKit), identified as the first documented Unified Extensible Firmware Interface (UEFI) bootkit specifically designed to target Linux systems.
## Key Points
- Bootkitty is assessed to be a Proof-of-Concept (PoC) and there is currently no evidence of its use in real-world attacks.
- The primary goal of the bootkit is to disable the kernel's signature verification feature and preload two unknown ELF binaries via the Linux init process (the first process executed during system startup).
- This development marks a significant shift in the threat landscape, as UEFI bootkits were previously primarily associated with Windows systems.
- The bootkit is signed with a self-signed certificate, meaning it cannot execute on systems with UEFI Secure Boot enabled unless an attacker has already compromised and installed their own certificate.
- The malware is engineered to boot the Linux kernel and modify (patch) integrity verification functions in memory *before* the GNU GRand Unified Bootloader (GRUB) is executed.
- If Secure Boot is enabled, it hooks two functions from UEFI authentication protocols to bypass UEFI integrity checks. It also patches three functions in the legitimate GRUB boot loader.
## Threat Actors
- **Creators/Attribution:** Reportedly created by actors using the alias **BlackCat**.
- **Aliases:** Also tracked as **IranuKit**.
## TTPs
- **Persistence Mechanism:** UEFI Bootkit (implying installation into or manipulation of UEFI firmware).
- **Kernel Tampering:** Disables kernel signature verification features.
- **Payload Delivery:** Preloads/injects unknown ELF binaries during the Linux init process.
- **Secure Boot Evasion (If Enabled):** Hooks UEFI authentication protocol functions; Patches three functions in the GRUB boot loader.
## Affected Systems
- **Platform:** Linux systems.
- **Firmware:** Unified Extensible Firmware Interface (UEFI).
- **Bootloader Interaction:** Interacts with and modifies the GNU GRand Unified Bootloader (GRUB).
## Mitigations
- **UEFI Secure Boot:** While the PoC uses a self-signed certificate, users with Secure Boot enabled are protected unless an attacker has achieved a preceding compromise allowing them to install a malicious certificate.
- **Firmware Integrity:** Monitoring and ensuring the integrity of the UEFI firmware and boot chain components (like GRUB) is crucial.
- **Attacker-Controlled Certificate:** A necessary precursor for execution on Secure Boot enabled systems is the prior installation of an attacker-controlled certificate into the UEFI trust store.
## Conclusion
Bootkitty represents a significant, albeit unproven, advancement in firmware-level threats against Linux operating systems. While currently a PoC, its ability to manipulate the UEFI boot process and patch kernel/GRUB integrity checks before execution highlights a critical risk vector for Linux environments. Defenders should prioritize firmware attestation and verification mechanisms, especially in high-security environments where supply chain integrity is paramount.
***
### Related/Ancillary Information (Not part of core summary structure but extracted from context):
- The sample was uploaded to VirusTotal on November 5, 2024.
- ESET researchers Martin Smolár and Peter Strýček documented the findings.