Bootkitty: First Linux UEFI Bootkit

Posted on 2024-12-01 by guenni

[German]ESET Research has discovered the first Linux UEFI boot kit and named it Bootkitty. This Linux UEFI boot kit was uploaded to Virustotal in early November 2024 and came to the attention of the security researchers.

For Windows, UEFI boot kits that have already nested in the UEFI when the system is started have been known for some time. But now there is "Bootkitty", the Linux UEFI boot kit.

Linux UEFI-Boot-Kit

The Linux UEFI boot kit disables kernel signature verification and preloads two ELFs that were unknown to ESET security researchers when they first analyzed it, as they write in the tweet above. Details of this discovery can be found in the blog post Bootkitty: Analyzing the first UEFI bootkit for Linux.

Addendum: Ist was a students project, as ESET Research has postet on 2. December 2024 on X:

UPDATE: #ESETresearch was contacted by one of the possible authors of the Bootkitty bootkit, claiming the bootkit is a part of project created by cybersecurity students participating in Korea's Best of the Best (BoB) training program. 1/2
This supports our belief that it was an initial proof of concept rather than a malware used by real threat actors. Nonetheless, the blog post remains accurate — it is a functional bootkit and the first publicly known UEFI bootkit for Linux. 2/2
This entry was posted in Linux, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *