Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI). butkit intended for Linux systems.
Duplicated Butkitty by its creators, who go by the name BlackCat, the butkit is rated as a proof of concept (PoC) and there is no evidence that it has been used in actual attacks. Also tracked as IranuKitit was loaded to the VirusTotal platform on November 5, 2024.
“The main purpose of the bootkit is to disable the kernel signature verification feature and preload two as-yet-unknown ELF binaries through the Linux initialization process (which is the first process performed by the Linux kernel during system startup),” ESET researchers Martin Smolar and Peter Strycek said.
This event is significant as it heralds a shift in the cyber threat landscape where UEFI bootkits are no longer limited to Windows systems only.
It should be noted that Bootkitty is signed with a self-signed certificate and therefore cannot be executed on systems with UEFI Secure Boot enabled unless an attacker-controlled certificate is already installed.
Regardless of the UEFI secure boot state, the bootkit is primarily designed to boot the Linux kernel and fix the integrity check function response in memory before the GNU GRand unified bootloader (GRUB) is performed.
Specifically, it proceeds to connect two functions from the UEFI authentication protocols when Secure Boot is enabled in such a way that UEFI integrity checks are bypassed. It also further fixes three different functions in the legitimate GRUB bootloader to bypass other integrity checks.
The Slovak cybersecurity company said its investigation of the bootkit also led to the discovery of a possibly related unsigned kernel module capable of deploying an ELF binary called BCDropper that loads another as-yet-unknown kernel module after system startup.
The kernel module, also named BlackCat as its author name, implements other rootkit-related features such as hiding files, processes, and opening ports. At this stage, there is no evidence of a connection to the ALPHV/BlackCat ransomware group.
“Whether it’s a proof of concept or not, Bootkitty represents an interesting step forward in the UEFI threat landscape, breaking the belief that current UEFI bootkits are Windows-exclusive threats,” the researchers said, adding that ” it emphasizes the need to be prepared for potential future threats.”
