Researchers from ESET have discovered the first ever UEFI bootkit malware specifically targeting Linux systems. The malware, named “Bootkitty,” is a proof-of-concept designed to bypass kernel signature verification and preload malicious components during the system boot process.
Unlike traditional Windows-based bootkits, Bootkitty relies on a self-signed certificate and only targets specific Ubuntu distributions, making it less likely to be deployed in real-world attacks. However, ESET warns that its existence marks an evolution in UEFI bootkit threats, despite current real-world implications.
Bootkitty hooks into various GRUB functions to manipulate the bootloader’s integrity checks for binaries, including the Linux kernel. It also intercepts the decompression process and forces the malware to always return success during kernel module checks, allowing it to load malicious modules.
The researchers believe that Bootkitty is in early-stage development due to its buggy nature, with many unused functions and poor kernel-version compatibility handling leading to system crashes.
ESET has shared indicators of compromise (IoCs) associated with Bootkitty on a GitHub repository. This discovery highlights how attackers are developing Linux malware that was previously isolated to Windows as the enterprise increasingly adopts Linux.
Source: https://www.bleepingcomputer.com/news/security/researchers-discover-bootkitty-first-uefi-bootkit-malware-for-linux