Security researchers have identified a new UEFI bootkit targeting Linux systems, marking a concerning shift in malware development. The malware, dubbed BootKitty, represents one of the first known UEFI bootkits specifically designed to compromise Linux-based operating systems.
The malware was discovered after being uploaded to VirusTotal in November 2024. While currently existing as a proof-of-concept, BootKitty demonstrates sophisticated techniques to bypass Linux kernel security measures.
Written in C programming language, the malware attempts to circumvent kernel signature verification using self-signed certificates. However, this approach proves ineffective against systems with properly configured Secure Boot unless attackers have previously installed their certificates.
The attack leverages the LogoFAIL vulnerability, which exploits weaknesses in UEFI firmware during splash screen image processing. This allows attackers to execute malicious code during the boot process.
BootKitty manipulates core system components, including the GRUB bootloader, to disable critical security checks. It interferes with kernel decompression and modifies module verification processes to falsely authenticate malicious kernel modules as secure.
The malware works alongside additional components, including a kernel module called BCDropper and an ELF file named BCObserver. These components function as a rootkit, concealing malicious files and processes while creating unauthorized network connections.
Analysis reveals multiple references to "BlackCat" within the code, though researchers emphasize this does not definitively link the malware to the notorious ransomware group of the same name.
The discovery of BootKitty highlights an emerging trend where attackers increasingly target Linux systems, moving away from traditional Windows-focused threats. While the current version shows technical limitations and primarily affects specific Ubuntu versions, its emergence warns of potential sophisticated attacks in development.
Security experts note that BootKitty's presence at the UEFI level makes it particularly dangerous, as it can persist even after operating system reinstallation. This underscores the growing need for robust UEFI security measures in Linux environments.