First UEFI Bootkit Targeted Exclusively to Linux Discovered

ESET researchers have reported the first UEFI bootkit targeting Linux systems. Previously, attackers used this type of malware only to attack computers running Windows, writes BleepingComputer.

Bootkitty (IranuKit) was uploaded to the VirusTotal platform on November 5, 2024 as bootkit.efi. According to ESET, for a number of reasons Bootkitty is a proof-of-concept that only works on some versions and configurations of Ubuntu and is not a full-fledged threat used in real attacks.

«Whether it’s a proof of concept or not, Bootkitty marks an interesting step forward in the UEFI threat landscape, challenging the belief that current UEFI bootkits are Windows-exclusive threats,” the researchers said, adding that the bootkit’s emergence “underscores the need for be prepared for potential future threats.”

Image source: ESET

According to ESET, the main purpose of the bootkit is to disable the kernel signature verification feature and preload two as yet unknown ELF binaries during the kernel initialization process. Bootkitty uses a self-signed certificate, so it will not run on systems with Secure Boot enabled unless an attacker-controlled certificate has already been signed in.

When the computer boots, the bootkit intercepts functions in the UEFI security authentication protocols to bypass Secure Boot integrity checks, ensuring that the bootkit boots regardless of security policies. After that, it replaces the integrity and signature check functions in the GRUB bootloader, including for the kernel image. Bootkitty then hijacks the Linux kernel unpacking process and replaces the kernel module checking function. Finally, it allows you to register in LD_PRELOAD any library that will be loaded first when the system starts.

Indicators of compromise (IoC) related to Bootkitty have been published in the GitHub repository.