Software:BootKitty
BootKitty is a bootkit ELF malware that hijacks the UEFI on Linux systems by using a malicious EFI booter and is the first ever bootkit for Linux systems. It was also tracked as the malware family IranuKit.[1]
Design
When the ELF program of BootKitty is ran, it attempts to disable the kernel signing feature on a Linux system and to preload two loaders, one of which is ran by the Linux kernel on boot, using the Linux init system.[2] This allows BootKitty to persist beyond system reboots, reinstallations, and hard drive replacements.[3] BootKitty primarily uses the exploit LogoFAIL in order to gain firmware-level persistence.[4] Using LogoFAIL, BootKitty embed shellcode into two BMP image files during boot to bypass Secure Boot protections by injecting rogue certifications into the MokList variant.[5] When it was detected in 2024, the EFI file used was self-signed though this normally wouldn't allow it to be ran on systems with UEFI protections on it bypasses these protections is capable of replacing the boot loader and of patching the kernel ahead of its execution.[6] BootKitty is designed mainly to target Ubuntu systems and related Linux distributions.[7] Not all devices are considered susceptible to the exploits this malware uses, the BMP image file and assembler code is specifically made for Lenovo devices and can only work on certain GNU GRUB and Linux kernel versions.[8]
The malware has been compared to the BlackLotus malware by malware and security researchers [9]
History
After BootKitty began gaining notoriety among security researchers, multiple university students from South Korea claimed responsibility for its creation as a proof-of-concept accidentally going public issuing a statement of no ill intent.[10]
References
- ↑ Lakshmanan, Ravie. "Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels" (in en). https://thehackernews.com/2024/11/researchers-discover-bootkitty-first.html.
- ↑ Lee, Junho; Kwon, Jihoon; Seo, HyunA; Lee, Myeongyeol; Seo, Hyungyu; Jung, Jinho; Koo, Hyungjoon (2025-08-11). "BOOTKITTY: a stealthy bootkit-rootkit against modern operating systems". Proceedings of the 19th USENIX Conference on Offensive Technologies (USENIX): 303–320. ISBN 978-1-939133-50-2. https://dl.acm.org/doi/10.5555/3769714.3769732.
- ↑ Vijayan, Jai (2024-12-02). "'Bootkitty' First Bootloader to Take Aim at Linux". https://www.darkreading.com/cyber-risk/bootkitty-first-bootloader-target-linux-systems.
- ↑ "LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux" (in en). 2024-11-29. https://www.binarly.io/blog/logofail-exploited-to-deploy-bootkitty-the-first-uefi-bootkit-for-linux.
- ↑ Toulas, Bill (2024-12-02). "BootKitty UEFI malware exploits LogoFAIL to infect Linux systems" (in en-us). https://www.bleepingcomputer.com/news/security/bootkitty-uefi-malware-exploits-logofail-to-infect-linux-systems/.
- ↑ "ESET Research discovers the first UEFI bootkit for Linux" (in en-GB). 2024-11-27. https://www.eset.com/uk/about/newsroom/press-releases/eset-research-discovers-the-first-uefi-bootkit-for-linux-uk/?srsltid=AfmBOorSOqi6ggrDE9dksyNM0Gyu72gJA_bQ7S_QshG3cn6gSbh6Pckb.
- ↑ Wyciślik-Wilson, Sofia Elizabella (2024-11-29). "Proving Linux is not a safe sanctuary, ESET finds first Linux-targeting UEFI bootkit malware" (in en). https://betanews.com/article/proving-linux-is-not-a-safe-sanctuary-eset-finds-first-linux-targeting-uefi-bootkit-malware/.
- ↑ Kunz, Christopher (2024-12-03). "UEFI bootkit "Bootkitty" for Linux is a university project from South Korea" (in en). https://www.heise.de/en/news/UEFI-bootkit-Bootkitty-for-Linux-is-a-university-project-from-South-Korea-10186510.html.
- ↑ Garland, Chris (2024-12-04). "Bootkitty and Linux Bootkits: We’ve Got You Covered" (in en-US). https://eclypsium.com/blog/bootkitty-linux-bootkit/.
- ↑ Kan, Michael (2024-11-27). "'Bootkitty' Malware Can Infect a Linux Machine's Boot Process" (in en). https://www.pcmag.com/news/bootkitty-malware-can-infect-a-linux-machines-boot-process?test_uuid=04IpBmWGZleS0I0J3epvMrC&test_variant=B.
