BootKitty

Last updated
BootKitty
Malware details
Type Bootkit
Origin South Korea (Proof-of-Concept)

BootKitty is a bootkit ELF malware that hijacks the UEFI on Linux systems by using a malicious EFI booter and is the first ever bootkit for Linux systems. It was also tracked as the malware family IranuKit. [1]

Contents

Design

When the ELF program of BootKitty is ran, it attempts to disable the kernel signing feature on a Linux system and to preload two loaders, one of which is ran by the Linux kernel on boot, using the Linux init system. [2] This allows BootKitty to persist beyond system reboots, reinstallations, and hard drive replacements. [3] BootKitty primarily uses the exploit LogoFAIL in order to gain firmware-level persistence. [4] Using LogoFAIL, BootKitty embed shellcode into two BMP image files during boot to bypass Secure Boot protections by injecting rogue certifications into the MokList variant. [5] When it was detected in 2024, the EFI file used was self-signed though this normally wouldn't allow it to be ran on systems with UEFI protections on it bypasses these protections is capable of replacing the boot loader and of patching the kernel ahead of its execution. [6] BootKitty is designed mainly to target Ubuntu systems and related Linux distributions. [7] Not all devices are considered susceptible to the exploits this malware uses, the BMP image file and assembler code is specifically made for Lenovo devices and can only work on certain GNU GRUB and Linux kernel versions. [8]

The malware has been compared to the BlackLotus malware by malware and security researchers [9]

History

After BootKitty began gaining notoriety among security researchers, multiple university students from South Korea claimed responsibility for its creation as a proof-of-concept accidentally going public issuing a statement of no ill intent. [10]

References

  1. Lakshmanan, Ravie. "Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels". The Hacker News. Retrieved 2026-01-17.
  2. Lee, Junho; Kwon, Jihoon; Seo, HyunA; Lee, Myeongyeol; Seo, Hyungyu; Jung, Jinho; Koo, Hyungjoon (2025-08-11). "BOOTKITTY: a stealthy bootkit-rootkit against modern operating systems". Proceedings of the 19th USENIX Conference on Offensive Technologies. USENIX: 303–320. ISBN   978-1-939133-50-2.
  3. Vijayan, Jai (2024-12-02). "'Bootkitty' First Bootloader to Take Aim at Linux". DarkReading. Retrieved 2026-01-16.
  4. "LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux". binarly.io. 2024-11-29. Retrieved 2026-01-17.
  5. Toulas, Bill (2024-12-02). "BootKitty UEFI malware exploits LogoFAIL to infect Linux systems". Bleeping Computer . Retrieved 2026-01-17.
  6. "ESET Research discovers the first UEFI bootkit for Linux". ESET . 2024-11-27. Retrieved 2026-01-17.
  7. Wyciślik-Wilson, Sofia Elizabella (2024-11-29). "Proving Linux is not a safe sanctuary, ESET finds first Linux-targeting UEFI bootkit malware". BetaNews. Retrieved 2026-01-17.
  8. Kunz, Christopher (2024-12-03). "UEFI bootkit "Bootkitty" for Linux is a university project from South Korea". Heise Online . Retrieved 2026-01-17.
  9. Garland, Chris (2024-12-04). "Bootkitty and Linux Bootkits: We've Got You Covered". Eclypsium. Retrieved 2026-01-17.
  10. Kan, Michael (2024-11-27). "'Bootkitty' Malware Can Infect a Linux Machine's Boot Process". PCMag . ISSN   0888-8507. OCLC   960872918 . Retrieved 2026-01-17.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.