Researchers have discovered what they believe is the first-ever malware capable of infecting the boot process of Linux systems. "Bootkitty" is proof-of-concept code that students in Korea developed for a cybersecurity training program they're involved in. Though unfinished, the bootkit is fully functional and even includes an exploit for one of several so-called LogoFAIL vulnerabilities in the Unified Extensible Firmware Interface (UEFI) ecosystem that Binary Research uncovered in November 2023.
Bootkits operate at the firmware level and execute before the operating system loads, allowing them to bypass the Secure Boot process to protect systems from malware during startup. Such malware can persist through system reboots, operating system reinstallation, and even physical replacement of particular parts, like hard drives.
Researchers at ESET, who analyzed Bootkitty after finding a sample on VirusTotal just last month, described it as the first UEFI bootkit for Linux they have encountered. That's significant because, until now, boot kits, the most notorious of which include BlackLotus and FinSpy, have been Windows-specific."
ESET researchers Martin Smolar and Peter Strycek wrote that Bootkitty's primary goal is to disable the kernel's signature verification feature and preload two yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup).
Binary, which also analyzed Bootkitty, found the malware to contain an exploit for CVE-2023-40238, one of several image-parsing LogoFAIL vulnerabilities in UEFI that the company reported last year. Binary said Bootkitty exploits leverage shellcode embedded within bitmap image (BMP) files to bypass Secure Boot and get the OS to trust the malware. The vendor identified Linux systems from multiple vendors as vulnerable to the exploit, including those from Lenovo, Fujitsu, HP, and Acer. "While this appears to be a proof-of-concept rather than an active threat, Bootkitty signals a major shift as attackers expand bootkit attacks beyond the Windows ecosystem," Binary wrote. "The operating system bootloaders present a vast attack surface often overlooked by defenders, and the constant growth in complexity only makes it worse."
In recent years, UEFI and, before that, the BIOS ecosystem have been popular targets for attackers because malware operating at that level can remain virtually undetectable on compromised systems. However, concerns over UEFI security came to a head with the discovery of BlackLotus, the first malware to bypass Secure Boot protections even on fully patched Windows systems.
The malware used two vulnerabilities in the UEFI Secure Boot process, CVE-2022-2189, also known as Baton Drop, and CVE-2023-24932, to install itself virtually undetectable and unremovable. The relatively easy availability of the malware and Microsoft's struggles in addressing it prompted the US Cybersecurity and Infrastructure Security Agency (CISA) call for improved UEFI protections. "Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community, and UEFI developers appear to still be in learning mode," CISA noted. "UEFI secure boot developers haven't all implemented public key infrastructure (PKI) practices that enable patch distribution."
ESET found Bootkitty to contain capabilities for modifying, in memory, functions that typically verify the integrity of the GRand Unified Bootloader (GRUB), which is responsible for loading the Linux kernel during startup. However, the specific functions that Bootkitty attempts to modify in memory are supported only on a relatively small number of Linux devices, suggesting the malware is more proof of concept than an active threat. Bolstering that theory is the presence of several unused artifacts in the code, including two functions for printing ASCII art and text during execution, ESET said.
The Korean students who developed the bootkit informed ESET after the security vendor published its analysis. ESET quoted the students as saying they had created the malware to spread awareness about the potential for boot kits becoming available for Linux systems. Details of the malware were only supposed to have become available as part of a future conference presentation. However, they noted that a few samples of the bootkit ended up being uploaded to VirusTotal.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments