Bootkits—malicious programs that run before the operating system starts up—are being increasingly used in targeted and mass attacks.
Positive Technologies has analyzed all 39 known bootkit families, including both proof-of-concept¹ and real-world bootkits used by attackers from 2005 to 2021. The study revealed that half of all bootkits are used in targeted attacks, and that attackers are now using them in mass attacks as well, despite the high cost of bootkit development.
A bootkit is a piece of malicious code that runs before the operating system loads. The main purpose of bootkits is to infect a computer with other malware before its operating system starts up. This makes bootkit malware difficult to detect, because most antivirus software starts up together with the operating system. Until recently, attacks using bootkits that run at startup of the BIOS or UEFI firmware have been considered a rarity. This, however, turned out to be a mistake. At least 27 of the 39 bootkit families analyzed were found to have been used in cyberattacks, and 14 of those were used by APT groups including Careto, Winnti (APT41), FIN1, and APT28.
The regular discovery of vulnerabilities in firmware is a contributing factor in the growing popularity of bootkits. For UEFI, for example, 18 entries appeared in the National Vulnerability Database in 2021 alone. By comparison, there were 12 such entries in 2020, and only five entries in 2019. Malware developers are now adding bootkit functionality to their ransomware, including Satana and Petya, and to various botnets, including TrickBot.
Yana Yurakova, Information Security Analyst, Positive Technologies, commented: "Among the bootkits we analyzed, 76% were designed for BIOS. Intel withdrew support for BIOS back in 2020, but not all companies can quickly update their IT infrastructure, or they use hypervisors in which BIOS is recommended by default, hence BIOS bootkits are still a threat. We find that government and industry are the sectors most affected by this problem."
Since 2020, all bootkits found in the wild have targeted UEFI, in particular, Mosaic Regressor, TrickBoot, FinSpy, ESPecter, and MoonBounce. Despite the higher security of UEFI and the added Secure Boot protocol, there are still ways attackers can infect UEFI firmware: from supply chain attacks² to remote injection using privilege escalation to install an OS kernel-level payload.
Bootkits are difficult to develop, which explains their high price on the dark web: the average cost of renting a bootkit is $4,900. For comparison, a rootkit³ can be rented for $100–200. Positive Technologies analyzed 58 Telegram channels and 10 of the most popular Russian and English dark web forums hosting offers to buy and sell bootkits, as well as advertisements seeking malware developers. A bootkit source code can be bought for $10,000, and an executable image for $2,000. Cybercriminals are willing to pay up to $5,000 for development of a bootkit. The maximum price offered for a UEFI bootkit is $2 million.
Despite the high cost, criminals use bootkits not only in targeted attacks (for example, to spy on diplomats from Africa, Asia, and Europe using Mosaic Regressor), but also in mass attacks. The Rovnix bootkit was distributed as part of a phishing campaign using a World Bank coronavirus initiative as bait. The Adushka bootkit is known for targeting regular users and being used, among other things, to steal data from online gaming accounts. Another bootkit that was used in mass attacks is Oldboot. It was designed for Android and infected more than 350,000 mobile devices. Oldboot enabled the installation of a loader and spyware that collected and deleted SMS messages.
Cybercriminals generally use targeted phishing via email to introduce bootkits into an organization's infrastructure; this is how the Mebromi and Mosaic Regressor bootkits are distributed. Another delivery route is through websites, including the drive-by compromise technique, which was used to infect targets with the Pitou and Mebroot malware. Cybercriminals hacked more than 1,500 websites to host the Mebroot bootkit. The FispBoot bootkit was installed on devices that were first infected with Trojan-Downloader.NSIS.Agent.jd masquerading as a video to be downloaded by a target user.
Alexey Vishnyakov, Head of Malware Detection at the Positive Technologies Expert Security Center (PT ESC) stated: "The most reliable way to detect bootkits, including those designed for UEFI, is to use a sandbox. A sandbox can detect a bootkit before it becomes embedded in the firmware or the first partitions of the hard drive. For example, PT Sandbox can detect both old-style and modern bootkits, taking into account currently known attack vectors. PT Sandbox allows you to detect the presence of a bootkit while a computer is running, and you can then restart the operating system to find out what malware the bootkit delivered. PT Sandbox provides the additional capability to monitor the operating system during startup and find out exactly how the bootkit delivers its payload. This reduces the risk of a bootkit attack going undetected, even if the initial appearance of the bootkit itself was not discovered while a computer was running."
To protect your computer from bootkits, monitor potentially dangerous operations in the system, such as gaining direct access to the hard drive, installing a driver, or reading the firmware. Enable the UEFI Secure Boot, do not start the OS with untrusted drives attached, and check for any information about possible vendor compromise when updating the OS version and firmware. To protect an Android smartphone from bootkits such as Oldboot, do not purchase devices from untrusted stores or download firmware from dubious sources.
The full version of this study is available on the Positive Technologies website.
- Proof-of-concept bootkits are of particular interest to analysts and researchers because they provide insight into the methods and techniques attackers are likely to use and how to protect from them.
- A supply chain attack uses third-party software or hardware as a vehicle to introduce malicious code into a target company. A common form of supply chain attack involves injecting malicious code into the source code or updates of a software product used by the target company.
- A rootkit is a program or set of programs that can conceal the presence of malware in a system.
