Bootkitty: the first UEFI bootkit for Linux

David Y. Naranjo

4 minutes

bootkitty-uefi-linux-backdoor

Few days ago ESET announced the first proof of concept UEFI bootkit for Linux, named as "Bootkitty«This bootkit is part of a project created by cybersecurity students from Korea's Best of the Best (BoB) training program.

Bootkitty, as such, It is an advanced threat that installs itself as a bootloader replacement. GRUB on Linux systems, Using the UEFI environment to covertly maintain control of the system. This malware, which is the first UEFI bootkit designed for Linux, loads malicious components into the kernel to ensure persistence.

How Bootkitty Works

  1. Replacing GRUB:
    The first step of the bootkit is to replace the standard bootloader, grubx64.efi, in the EFI system partition, allowing it to initiate the malicious payload during system boot.
  2. GRUB memory corruption:
    After the bootkit is activated, it loads the legitimate GRUB2 bootloader into memory, but introduces modifications to disable integrity checking in later components. It also adds a driver that manipulates the kernel loading process.
  3. Kernel Modifications:
    • The bootkit modifies kernel functions loaded into memory, disabling validation of digital signatures on kernel modules.
    • After that, change the kernel initialization line, replacing /init by a malicious command that uses LD_PRELOAD to load the malicious library injector.so.
  • Malicious components:
    • Injector.so:
      This is a library that is responsible for intercepting system calls, such as SELinux and init_module, allowing the loading of malicious kernel modules.
    • Dropper.ko:
      A kernel module that creates and executes the binary file /opt/observerIt also hides in the kernel modules list and manipulates system functions to avoid its presence or certain files and network traffic being detected.
    • Observer and Rootkit Loader:
      The executable /opt/observer loads another malicious module (rootkit_loader.ko), which in turn activates a full rootkit on the compromised system.

As such Bootkitty is a functional bootkit whose goal is to:

» Raise awareness within the security community about potential risks and encourage proactive measures to prevent similar threats. Unfortunately, few bootkit samples were disclosed prior to the planned presentation at the conference.»

Attack method

The attack is executed by means of the inserting a designed BMP image specifically on the ESP (EFI System Partition) partition. This image It is presented as the manufacturer's logo for the UEFI firmware. Due to vulnerabilities in the libraries used by the firmware to process images, such as buffer overflows, the malicious image triggers code execution in the context of the UEFI firmware. Although the LogoFAIL vulnerability was discovered a year ago and has been fixed in recent UEFI firmware updates, many devices are still running outdated and vulnerable versions, leaving them open to this type of exploitation.  bootkitty - ASCII art embedded in the bootkit

Bootkitty It has significant limitations in its implementation, since modifications made to kernel memory functions were based on predetermined offsets, without checking their validity against the specific kernel version loaded.

La The bootkit's effectiveness is limited only to the kernel and GRUB versions included in certain Ubuntu distributions., causing boot failures on other systems. Additionally, the bootkit used a self-signed certificate to validate its modified bootloader (grubx64.efi), making it ineffective on systems with UEFI Secure Boot enabled unless the attacker's certificate was manually included in the firmware's list of trusted certificates.

Binarly Research researchers noted that among the Bootkitty components were found BMP images linked to the LogoFAIL vulnerability, a UEFI vulnerability that allows arbitrary code execution at the firmware level and bypassing UEFI Secure Boot restrictions. In this case, LogoFAIL was used to automatically insert the attacker's self-signed certificate into the list of trusted certificates, enabling the bootkit to execute even on systems with Secure Boot enabled.

finally if you are interested in knowing more about it, you can check the details in the following link