• In November 2024, a previously unknown application, named bootkit.efi, was uploaded to VirusTotal, upon inspection ESET Research discovered it to be an UEFI application.
• Further analysis confirmed that it is a UEFI bootkit, named Bootkitty by its creators; surprisingly, it’s the first UEFI bootkit to target Linux – specifically, several Ubuntu versions. The bootkit contains many artifacts, suggesting that this is more like a proof of concept than the work of a threat actor.
• ESET Research also discovered a possibly related kernel module, which we named BCDropper, that deploys an Executable and Linking Format (ELF) Linux program responsible for loading another kernel module.

BRATISLAVA — November 27, 2024 — ESET research has discovered the first UEFI bootkit designed for Linux systems, named Bootkitty by its creators. ESET believes this bootkit is likely an initial proof of concept, and based on ESET telemetry, it has not been deployed in the wild. However, it is the first evidence that UEFI bootkits are no longer confined to Windows systems alone. The bootkit’s main goal is to disable the kernel’s signature verification feature and to preload two as yet unknown ELF binaries via the Linux “init” process (which is the first process executed by the Linux kernel during system startup).

The previously unknown UEFI application, named “bootkit.efi”, was uploaded to VirusTotal. Bootkitty is signed by a self-signed certificate, thus is not capable of running on systems with UEFI Secure Boot enabled by default. However, Bootkitty is designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or not, as it patches, in memory, the necessary functions responsible for integrity verification.

The bootkit is an advanced rootkit that is capable of replacing the boot loader, and of patching the kernel ahead of its execution. Bootkitty allows the attacker to take full control over the affected machine, as it co-opts the machine’s booting process and executes malware before the operating system has even started.

During the analysis, ESET discovered a possibly related unsigned kernel module that ESET named BCDropper – with signs suggesting that it could have been developed by the same author(s) as Bootkitty. It deploys an ELF binary responsible for loading yet another kernel module unknown at the time of analysis.

“Bootkitty contains many artifacts suggesting that this is more like a proof of concept than the work of an threat actor.  Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems since it can affect only a few Ubuntu versions, it emphasizes the necessity of being prepared for potential future threats,” says ESET researcher Martin Smolár, who analyzed Bootkitty. “To keep your Linux systems safe from such threats, make sure that UEFI Secure Boot is enabled, your system firmware, security software and OS are up-to-date, and so is your UEFI revocations list,” he adds.

After booting up a system with Bootkitty in the ESET testing environment, researchers noticed that the kernel was marked as tainted (a command can be used to check the tainted value), which was not the case when the bootkit was absent. Another way to tell whether the bootkit is present on the system with UEFI Secure Boot enabled is by attempting to load an unsigned dummy kernel module during runtime. If it’s present, the module will be loaded; if not – the kernel refuses to load it. A simple remedy to get rid of the bootkit, when the bootkit is deployed as “/EFI/ubuntu/grubx64.efi”, is to move the legitimate “/EFI/ubuntu/grubx64-real.efi” file back to its original location, which is “/EFI/ubuntu/grubx64.efi”.

Over the past few years, the UEFI threat landscape, particularly that of UEFI bootkits, has evolved significantly. It all started with the first UEFI bootkit proof of concept (PoC) described by Andrea Allievi in 2012, which served as a demonstration of deploying bootkits on modern UEFI-based Windows systems, and was followed with many other PoCs (EfiGuard, Boot Backdoor, UEFI-bootkit). It took several years until the first two real UEFI bootkits were discovered in the wild (one of those was ESPecter in 2021 by ESET), and it took two more years until the infamous BlackLotus – the first UEFI bootkit capable of bypassing UEFI Secure Boot on up-to-date systems – appeared (in 2023 discovered by ESET).  A common thread among these publicly known bootkits was their exclusive targeting of Windows systems.

For a more detailed analysis and technical breakdown of Bootkitty, the first bootkit for Linux, check out the latest ESET Research blogpost “Bootkitty: Analyzing the first UEFI bootkit for Linux” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Bootkitty execution overview

• ESET announces strategic integration with Filigran OpenCTI
• The integration of ESET Threat Intelligence (ETI) with Filigran’s OpenCTI solution will enable the consolidation of threat intelligence, enhancing the analytical capabilities of cybersecurity teams
• The enhanced interoperability of the two solutions will allow for seamless data exchange, and improved threat response workflows, greatly reducing the mean time of incident response

BRATISLAVA, PARIS (FR) — November 27, 2024 — ESET, a global leader in cybersecurity solutions, has announced a key strategic integration with Filigran, a leading provider of open-source threat intelligence management, to integrate ESET Threat Intelligence with its OpenCTI solution.

To attain a strong and proactive security posture, organizations need to aggregate and correlate vast amounts of data from diverse sources. However, telemetry and threat data from one vendor isn’t enough to combat multiple sophisticated threats, and since there is an ongoing shortage of talent and a general lack of internal cybersecurity resources, businesses increasingly purchase services instead of, or on top of, cybersecurity products. As such, there is a demand for seamless integrations, because they simplify workflows, reduce manual effort, and enhance efficiency.

Staying on top of security requires you to be one step ahead by working to achieve enhanced situational awareness, an understanding of the threat landscape including TTPs, and to build strong early warning capabilities, which ESET’s highly curated and actionable threat intelligence helps provide.

This is why ESET is continuing its integration journey, now with Filigran’s OpenCTI, enabling the consolidation of its well-regarded threat intelligence data from ESET directly into OpenCTI. This enhances the analytical capabilities of cybersecurity teams by providing a single, comprehensive, and holistic view of potential threats, centralizing threat data.

“At ESET, integrations are crucial for our success going forward. ESET Threat Intelligence’s diverse telemetry and rich JSON/STIX 2.1 data feeds including: malicious files, botnets, APT IoCs, domains, URLs, and IPs (+ nine new sub-filters in Q4 2024), are seamlessly integrated into OpenCTI, complete with corresponding actionable research insights. Existing users of Filigran will be able to unlock a significant boost to the maturity of their organizational security via their threat-hunting and incident-response capabilities,” said Roman Kováč, Chief Research Officer at ESET.

“With hundreds or even thousands of malicious actors adapting rapidly, timely exploitation of threat intelligence feeds is a challenge. By combining ESET’s high-quality data with OpenCTI’s advanced processing, visualization, and automation capabilities, we make this possible.” – Jean-Philippe Salles, VP Product at Filigran.

The main benefits of the integration are:

• Enhanced insights: ESET’s data feeds offer unique, high-value telemetry derived from its extensive endpoint protection network. This data includes real-time telemetry and detailed threat intelligence that are crucial for accurate threat detection and mitigation.
• Enhanced Analysis: ESET’s data feeds provide advanced context and early-stage detection capabilities, helping analysts to identify and respond to threats more efficiently.
• Interoperability: This partnership enhances interoperability between ESET’s Threat Intelligence and OpenCTI’s analytical tools. ESET’s utilization of TAXII 2.1 and STIX 2.1 standards allows for seamless data exchange and improved threat response workflows.
• Actionable intelligence: ESET’s highly curated data feeds provide actionable intelligence that can be immediately utilized within OpenCTI, improving the overall efficiency and effectiveness of threat detection and response efforts.

Moreover, the unique value of this integration lies in the fact that it overcomes specific challenges related to incident response, as by leveraging ESET Threat Intelligence, users of OpenCTI will greatly enhance their mean time to detect (MTTD) and reduce their mean time to respond (MTTR), all thanks to ETI’s highly curated up-to-date feeds allowing organizations to stay one step ahead of the latest threats.

For more information about ESET integrations, visit our page here.

For more information about ESET Threat Intelligence, click here.

To discover more about Filigran and OpenCTI, visit here.