ESET researchers have identified Bootkitty, the first UEFI bootkit specifically designed to target Linux systems, signaling an evolution in bootkit threats previously focused on Windows platforms. Bootkits operate at a low level during the boot process, enabling them to bypass OS-level security tools and inject malicious code stealthily.
Though Bootkitty is a proof-of-concept and only functional on certain Ubuntu versions with Secure Boot disabled, it represents a significant step in developing Linux bootkits. It manipulates key system components by bypassing Secure Boot checks, disabling kernel signature verifications, and injecting malicious libraries through environment variable alterations.
The malware is in its early stages, with many unused functions, poor compatibility handling, and signs of instability, leading to frequent crashes. Researchers found no evidence of its deployment in real-world attacks, and telemetry data suggests it remains experimental.
Bootkitty also appears connected to BCDropper, a separate kernel module with rootkit capabilities, further illustrating efforts to develop sophisticated Linux malware. This discovery highlights a growing focus on targeting Linux as its use expands in enterprise environments.
Read more...