BootKitty UEFI Malware – 05 December 2024

By /
  • 328/2024
  • High

Cybersecurity researchers discovered a new UEFI bootkit “BootKitty” in November 2024, specifically targeting Linux systems, marking a shift in stealthy and hard-toremove bootkit threats that previously focused on Windows.

BootKitty is a powerful rootkit that takes control of a system by replacing the bootloader and modifying the kernel before it starts. This allows attackers to run malicious programs during the Linux startup process while making it very hard to detect or remove.

BootKitty’s main objective is to disable the kernel’s signature verification and preload two ELF binaries via the Linux init process, which is the initial process executed by the Linux kernel during startup. It uses a self-signed certificate, so it won’t work on systems with UEFI Secure Boot unless attackers install their malicious certificate. This makes Secure Boot an important defense against such threats.

BootKitty exploits the LogoFAIL vulnerability (CVE-2023-40238), which affects the way some UEFI firmware handles images or logos. Abusing this flaw, attackers can plant malicious files in the EFI System Partition (ESP) to take over the system during startup.

The Tactics and Techniques of BootKitty UEFI Malware:

o Execution:

  • BCObserver uses the finit_module system call to load a kernel module.
  • Bootkitty uses LD_PRELOAD to preload shared modules from a hardcoded path into the init process during system start.

o Persistence:

  • Bootkitty patches init’s environment variable with LD_PRELOAD so it loads the next stage when executed.
  • Bootkitty is a UEFI bootkit meant to be deployed on the EFI System Partition.
  • BCDropper serves as a rootkit implemented as a loadable kernel module for Linux systems.

o Defense Evasion:

  • Bootkitty disables signature verification features in the GRUB bootloader and Linux kernel.
  • BCDropper hides itself by removing its module’s entry from the kernel’s modules list.

o Impact:

  • BootKitty is a type of UEFI malware that infects the firmware on a computer’s motherboard, which operates independently of the operating system. This makes it highly persistent, as reformatting the hard drive or reinstalling the operating system does not remove it.
  • The malware remains active and capable of executing its payload each time the system boots up, making it exceptionally difficult to eradicate without specialized tools and procedures to re-flash the firmware.
  • BootKitty operates at the firmware level, which antivirus and endpoint detection systems typically do not scan. This makes it extremely difficult to detect and remove using standard security tools
Vulnerabilities

CVE-2023-40238

Mitigations
  • Ensure UEFI Secure Boot is enabled to prevent unauthorized bootloaders and kernel modules from executing.
  • Security administrators are recommended to update and fix to the latest versions of Linux Kernel and make sure that all applications, databases, servers, and network devices are periodically hardened and only download firmware updates from the OEM’s official website.
  • Regularly update your system firmware and operating system to patch vulnerabilities.
  • Monitor for any signs of BootKitty, such as modified kernel version strings or altered Linux banners.
  • Perform firmware integrity checks to detect unauthorized modifications to the UEFI firmware.
  • Restore the legitimate GRUB bootloader file to its original location if compromised.
  • Ensure that only trusted certificates are installed on your system to prevent rogue certificates from being used.
  • Implement endpoint detection solutions with firmware scanning.
  • Ensure that backups are stored offline and tested regularly to verify their integrity.
  • Develop an incident response plan to promptly and proactively address suspicious activities.
  • Search for existing signs of the indicated IOCs in your environment.
  • Block IOCs at the organization’s security devices

References