Summary:
The emergence of the Bootkitty UEFI bootkit marks a significant evolution in the threat landscape, as it is the first bootkit targeting Linux systems, specifically Ubuntu. While currently a proof of concept and not actively deployed, its existence highlights the potential for UEFI bootkits to extend beyond Windows environments. The Bootkitty bootkit disables kernel signature verification and preloads unknown ELF binaries, raising concerns about future threats to Linux systems.
#Bootkitty #UEFIBootkit #LinuxSecurity
The emergence of the Bootkitty UEFI bootkit marks a significant evolution in the threat landscape, as it is the first bootkit targeting Linux systems, specifically Ubuntu. While currently a proof of concept and not actively deployed, its existence highlights the potential for UEFI bootkits to extend beyond Windows environments. The Bootkitty bootkit disables kernel signature verification and preloads unknown ELF binaries, raising concerns about future threats to Linux systems.
#Bootkitty #UEFIBootkit #LinuxSecurity
Keypoints:
Bootkitty is the first UEFI bootkit targeting Linux systems, specifically Ubuntu.
It disables the kernel’s signature verification feature and preloads unknown ELF binaries.
Bootkitty is signed with a self-signed certificate, making it ineffective against systems with UEFI Secure Boot enabled unless the attacker’s certificates are installed.
The bootkit is believed to be a proof of concept rather than an active threat.
A related unsigned kernel module named BCDropper was discovered, which drops an ELF file called BCObserver.
Bootkitty’s execution involves patching the GRUB bootloader and the Linux kernel’s EFI stub loader.
To mitigate the threat, moving the legitimate GRUB file can remove the bootkit.
MITRE Techniques:
Resource Development (T1587.001): Bootkitty is a brand-new UEFI bootkit developed by an unknown author.
Resource Development (T1587.002): Bootkitty sample is signed with a self-signed certificate.
Execution (T1106): BCObserver uses the finit_module system call to load a kernel module.
Execution (T1129): Bootkitty uses LD_PRELOAD to preload shared modules from a hardcoded path into the init process during system start.
Persistence (T1574.006): Bootkitty patches init’s environment variable with LD_PRELOAD so it loads a next stage when executed.
Persistence (T1542.003): Bootkitty is a UEFI bootkit meant to be deployed on the EFI System Partition.
Defense Evasion (T1014): BCDropper serves as a rootkit implemented as a loadable kernel module for Linux systems.
Defense Evasion (T1562): Bootkitty disables signature verification features in the GRUB bootloader and Linux kernel.
Defense Evasion (T1564): BCDropper hides itself by removing its module’s entry from the kernel’s modules list.
IoC:
[File Name] bootkit.efi
[File Hash] 35ADF3AED60440DA7B80F3C452047079E54364C1
[File Name] dropper.ko
[File Hash] BDDF2A7B3152942D3A829E63C03C7427F038B86D
[File Name] observer
[File Hash] E8AF4ED17F293665136E17612D856FA62F96702D
Full Research: https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/