Researchers have uncovered the first UEFI bootkit designed specifically for Linux systems, named Bootkitty.

Researchers have uncovered the first UEFI bootkit designed specifically for Linux systems, named Bootkitty , that focuses on the Windows ecosystem. In the Firmware group this is a significant discovery that Bootkitty exploits a vulnerability tied to LogoFAIL (CVE-2023-40238),

The Bootkitty LOGOfail exploit enables the execution of malicious shellcode through tampered BMP files in UEFI firmware.

Key finding on Bootkitty

• The Bootkitty LOGOfail exploit enables the execution of malicious shellcode through tampered BMP files in UEFI firmware.
• The bootkit is mainly engineered to boot the Linux kernel and patch, in memory, the function’s response for integrity verification before GNU GRand Unified Bootloader (GRUB) is executed.
• The exploit uses embedded shellcode within a BMP image to bypass Secure Boot protections by injecting rogue certificates into the MokList variable
• Vulnerable devices include models from Acer, HP, Fujitsu, and Lenovo, with evidence suggesting the exploit may have been tailored for specific hardware configurations
• A patch from Insyde mitigates the vulnerability,  unpatched devices remain at risk.
• The development is significant as it heralds a shift in the cyber threat landscape where UEFI bootkits are no longer confined to Windows systems alone.
• The operating system bootloaders present a vast attack surface that is often overlooked by defenders, and the constant growth in complexity only makes it worse.
• Researchers quickly discarded the logofail_fake.bmp file, after a cursory analysis showed nothing unusual in its header and content, plus all the image viewers we tested were able to open and display this file without any problems.

“The bootkit’s main goal is to disable the kernel’s signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup),” ESET researchers Martin Smolár and Peter Strýček said.

Technical Analysis

Bootkitty’s execution can be broken down into three main phases:

1. Initialization and GRUB Hooking: The bootkit checks for UEFI Secure Boot, hooks authentication protocols, and patches the legitimate GRUB bootloader.
2. Linux Kernel Image Decompression Hook: This phase involves patching the decompressed Linux kernel image, including modifying the kernel version and Linux banner strings.
3. Kernel and Init Process Manipulation: Bootkitty patches the module_sig_check function to bypass module signature verification and modifies the init process to preload potentially malicious shared objects.