If Secure Boot is enabled, Bootkitty hooks UEFI authentication protocol functions to evade integrity checks. It also modifies three key functions within the GRUB bootloader to circumvent further integrity verifications. Regardless of Secure Boot status, Bootkitty manipulates the kernel’s response to integrity verification effectively booting a compromised Linux kernel.

Once the system starts, Bootkitty interferes with the Linux kernel’s decompression process enabling the loading of malicious modules. It leverages the LD_PRELOAD environment variable to inject two unknown ELF shared objects (“/opt/injector.so” and “/init”) during the init process. During the investigation, researchers uncovered a related unsigned kernel module named BCDropper which deploys an ELF binary called BCObserver. BCObserver, in turn loads another unidentified kernel module upon system start incorporating rootkit functionalities like file and process hiding and port manipulation. These capabilities highlight sophisticated persistence and stealth mechanisms.

Although there is no evidence linking Bootkitty to the ALPHV/BlackCat ransomware group its development signals a shift in the UEFI threat landscape. Bootkitty demonstrates that UEFI bootkits are no longer exclusive to Windows environments underlining the need for heightened vigilance and preparedness against such evolving threats. As a groundbreaking Linux-focused UEFI bootkit, Bootkitty serves as a warning about the increasing sophistication of cyberattacks targeting critical system components.

Impact

• Gain Access

Indicators of Compromise

MD5

• 23943ba4aeee2cd9795e072c93b18d63
• 43e0656340c4c6ccf7f22f3ddc75ded2
• d734c6a86fab0c66a899d3412347bc99

SHA-256

• 9ee580a9be05b44a9b5102701c8cf45417c3a96617dbf73c40ac5ac4773dfe97
• f1f84819bdf395d42c36adb36ded0e7de338e2036e174716b5de71abc56f5d40
• 0a54fe932ebc3e4fd5aeaf094ac163c9e92d1efa7ab66af3d1cbd2cb9ee4c294

SHA1

• e8af4ed17f293665136e17612d856fa62f96702d
• 35adf3aed60440da7b80f3c452047079e54364c1
• bddf2a7b3152942d3a829e63c03c7427f038b86d

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure UEFI Secure Boot is enabled on all systems. Regularly audit the integrity of installed certificates and replace any that are not trusted or have been compromised.
• Keep UEFI firmware, bootloaders (e.g., GRUB), and Linux kernels updated with the latest security patches to mitigate known vulnerabilities.
• Secure physical and remote access to systems to prevent attackers from installing rogue UEFI certificates or bootkits.
• Use tools like CHIPSEC or other firmware integrity verification solutions to detect anomalies in UEFI firmware and boot processes.
• Configure the system to allow only signed and verified kernel modules, reducing the risk of malicious module injection.
• Monitor and restrict modifications to critical environment variables like LD_PRELOAD to prevent the loading of malicious shared objects.
• Use EDR solutions capable of detecting low-level threats, such as unauthorized kernel modifications or rootkit behavior.
• Periodically review bootloader, kernel, and firmware configurations for unauthorized changes or suspicious activity.
• Ensure system administrators and IT teams are aware of emerging UEFI threats and are trained to respond to incidents involving bootkits or firmware-level compromises.
• Maintain secure, offline backups of critical systems to facilitate recovery in case of a compromise.