Researchers discover "Bootkitty," the first UEFI bootkit for Linux

Bootkitty is the first UEFI bootkit targeting Linux, posing potential threats.

: Bootkitty has emerged as the first known UEFI bootkit targeting Linux, discovered by Eset researchers. While still in its proof-of-concept stage, it threatens specific Ubuntu distros by subverting UEFI firmware functions and GRUB boot loader. Though currently imperfect, its evolving nature suggests potential refinement and increased risks. Eset warns the security community of future Linux-targeted UEFI threats.

Bootkitty, a newly identified UEFI bootkit targeting Linux, was discovered by Eset researchers through an analysis of a UEFI application uploaded to VirusTotal. Described as the first of its kind for Linux, Bootkitty leverages a self-signed security certificate and targets specific Ubuntu distributions, though it doesn't operate on systems with Secure Boot enabled due to its incomplete development stage.

The malware seeks to insert itself into the boot process, replacing or compromising the original boot loader to gain control of user applications and the operating system. Despite its capabilities to boot the Linux kernel with Secure Boot activated, Bootkitty currently contains numerous rough features, suggesting its authors are in the early stages.

In conjunction with a possible linked kernel module referred to as BCDropper, Bootkitty could facilitate the deployment of ELF programs to enhance its operations. Eset stresses the importance for the security community to brace for more sophisticated UEFI threats targeting Linux as it becomes more appealing to cybercriminals.