Researchers discover "Bootkitty," the first UEFI bootkit for Linux
Bootkitty is the first UEFI bootkit targeting Linux, posing potential threats.
Bootkitty, a newly identified UEFI bootkit targeting Linux, was discovered by Eset researchers through an analysis of a UEFI application uploaded to VirusTotal. Described as the first of its kind for Linux, Bootkitty leverages a self-signed security certificate and targets specific Ubuntu distributions, though it doesn't operate on systems with Secure Boot enabled due to its incomplete development stage.
The malware seeks to insert itself into the boot process, replacing or compromising the original boot loader to gain control of user applications and the operating system. Despite its capabilities to boot the Linux kernel with Secure Boot activated, Bootkitty currently contains numerous rough features, suggesting its authors are in the early stages.
In conjunction with a possible linked kernel module referred to as BCDropper, Bootkitty could facilitate the deployment of ELF programs to enhance its operations. Eset stresses the importance for the security community to brace for more sophisticated UEFI threats targeting Linux as it becomes more appealing to cybercriminals.