Cybersecurity researchers have discovered “Bootkitty,” possibly the first UEFI bootkit specifically designed to target Linux systems.
This marks a significant shift in the UEFI threat landscape, which previously focused exclusively on Windows-based attacks.
The bootkit, named by its creators, was uploaded to VirusTotal in November 2024 and is believed to be a proof of concept rather than a fully operational malware.
According to ESET, Bootkitty uses various techniques to bypass security measures, including modifying kernel integrity verification and preloading unknown ELF binaries.
Notably, it targets specific Ubuntu Linux systems and is incompatible with many configurations. This further supports its status as an early-stage concept.
Key Details About Bootkitty
In an advisory published today, ESET detailed some of the key identifiers for Bootkitty:
-
The malware is signed using a self-signed certificate, rendering it ineffective on systems with UEFI Secure Boot enabled unless attacker certificates are installed
-
The bootkit patches kernel functions to disable signature verification and bypass security checks
-
It includes hardcoded patterns for kernel versions, making it functional only for specific setups
During execution, Bootkitty also hooks critical components such as GRUB bootloader functions and Linux kernel decompression processes. These hooks allow the bootkit to patch kernel operations in memory, enabling it to load unsigned modules and override system settings.
According to ESET, evidence suggests Bootkitty may not be linked to active threat actors.
Related Findings: BCDropper and BCObserver
Researchers also discovered a potentially related unsigned kernel module named BCDropper, which deploys a simple ELF program called BCObserver.
The program monitors the system and loads further kernel modules after the Linux desktop environment initializes. Although connections between these components remain speculative, their functionalities align with Bootkitty’s modifications.
Read more on Linux-targeting threats: Linux Malware WolfsBane and FireWood Linked to Gelsemium APT
Mitigation and Future Implications
Despite its limitations, Bootkitty underscores a growing need for Linux-specific UEFI protections. Ensuring UEFI Secure Boot is enabled, firmware and operating systems are updated and UEFI revocation lists are current are critical steps to safeguarding systems.
“Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats,” ESET said.
“To keep your Linux systems safe from such threats, make sure that UEFI Secure Boot is enabled, your system firmware and OS are up-to-date, and so is your UEFI revocations list.”