Researchers discover first UEFI bootkit malware for Linux

November 27th, 2024

The first UEFI bootkit specifically targeting Linux systems has been discovered, marking a shift in stealthy and hard-to-remove bootkit threats that previously focused on Windows. Upon analysis, ESET confirmed that this was the first case of a Linux UEFI bootkit to bypass kernel signature verification and preload malicious components during the system boot process.

Named 'Bootkitty,' the Linux malware is a proof-of-concept that works only on some Ubuntu versions and configurations rather than a fully fledged threat deployed in actual attacks. Bootkitty relies on a self-signed certificate, so it won't execute on systems with Secure Boot enabled and only targets certain Ubuntu distributions. Additionally, hardcoded offsets and simplistic byte-pattern matching make it only usable on specific GRUB and kernel versions, so it's unsuitable for widespread deployment. ESET also notes that the malware contains many unused functions and handles kernel-version compatibility poorly, often leading to system crashes. The malware's buggy nature and the fact that ESET's telemetry shows no signs of Bootkitty on live systems led the researchers to conclude that it is in early-stage development.

Read More below:
https://www.bleepingcomputer.com/news/security/researchers-discover-bootkitty-first-uefi-bootkit-malware-for-linux/