Subject: Bootkitty – UEFI Bootkit for Linux
Tactics: TA0003 Persistence
Technique: T1542.003 Pre-OS Boot: Bootkit
Procedure:
Bootkitty is a UEFI bootkit that is executed early in the boot process, before the operating system is loaded. It installs hooks to intercept and modify the normal boot process, allowing it to persist even if the operating system is reinstalled or updated. The bootkit specifically targets the GRUB bootloader and the Linux kernel, patching them in memory to disable security checks and load malicious code.
Vulnerability: EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked.
Engagement Opportunity:
Deploy a decoy UEFI firmware or GRUB module that mimics the vulnerable components targeted by Bootkitty. This could lure the bootkit into attempting to patch these decoy components, revealing its presence and potentially allowing for the capture and analysis of the bootkit. This would also provide valuable insights into the bootkit’s capabilities and patching mechanisms. Additionally, organizations should enforce Secure Boot policies to prevent the execution of unsigned or unauthorized code during the boot process, effectively mitigating the threat of such bootkits.
Threat Actor: Unknown, possibly a Proof of Concept
Threat Objective:
Gain persistence on the target system and potentially execute additional malicious payloads. By disabling kernel signature verification, the bootkit can enable the loading and execution of other malicious modules or drivers, further compromising the system.
Deception Opportunity:
Create a honeypot system with a vulnerable UEFI firmware and a decoy GRUB bootloader. If the bootkit is deployed to this honeypot, its actions can be observed and analyzed in a safe environment. Additionally, plant a decoy kernel module with a known signature. If the bootkit attempts to load this module without verification, it would further confirm its presence and functionality.
Sensor Data Placement: Kernel-Mode
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
- The core of Bootkitty’s functionality lies in manipulating the kernel and the boot process, which are fundamental to the Pre-OS Boot technique. The observable actions, such as patching kernel functions and modifying the GRUB bootloader, are inseparable from the technique itself. This makes these observables highly reliable for detection, as the attacker would need to significantly alter their approach to avoid them. Analyzing these kernel-mode activities provides high-fidelity detection and minimizes the chance of false positives.
Link to Report: https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/
Link to Report II.:
Additional Comments:
Bootkitty, though a proof of concept, highlights the potential for UEFI bootkits to target Linux systems, a previously overlooked attack vector. Organizations should proactively strengthen their firmware security posture and adopt a defense-in-depth approach to mitigate such threats.
Possible elements: Linux Kernel Module Deception
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Bootkitty Attack Graph
[1]: Persistence (TA0003) - Pre-OS Boot: Bootkit (T1542.003) - Install UEFI bootkit to hook GRUB and Linux kernel, disabling security checks and loading malicious ELF binaries (Core to Sub-Technique or Technique)
# Pseudocode Standard
# Function Format:# function [Tactic]_[Technique]([Input]):# [Procedure]# return [Output]
function Persistence_Pre_OS_Boot(system_firmware):# Install Bootkitty UEFI bootkit on the EFI System Partition# Hook GRUB bootloader (T1542.003) to disable signature verification# Hook Linux kernel (T1542.003) to disable module signature verification and preload malicious ELF binariesreturn compromised_system