Security researchers have discovered the first-ever UEFI bootkit targeting Linux, dubbed “Bootkitty” by Slovak security firm ESET. The bootkit was detected on a malware encyclopedia and appears to target a limited number of Ubuntu releases. While it’s not considered a real threat at present, its discovery highlights the evolving nature of UEFI threats.
ESET researchers Martin Smolár and Peter Strýček found that Bootkitty hooks various functions in the firmware to prevent verification of its authentication status. However, its current form is limited by hardcoded byte patterns that make it vulnerable to system crashes. The bootkit’s main functionality is to load potentially malicious binaries, but its development is still in its infancy.
The researchers couldn’t find any significant history on the developers, who seem to be working independently. Bootkitty references “BlackCat,” which might indicate a connection between the developers and the BlackLotus malware crew that bypassed Secure Boot on Windows machines. However, the link is unclear.
This discovery emphasizes the need for Linux systems to be prepared for potential future threats, as UEFI bootkits are no longer exclusive to Windows systems. The researchers consider Bootkitty a proof of concept, but its development suggests an interesting move forward in the UEFI threat landscape.
Source: https://www.theregister.com/2024/11/27/firstever_uefi_bootkit_for_linux