Bootkit Showcase: Real-World Examples of Infrastructure Security Threats
Bootkits are a type of malware that infects the boot process of a computer, allowing attackers to gain persistent access and control over the system. Despite their potential to cause significant damage, many people, including security professionals, may not be familiar with the threat they pose to infrastructure security. This repository is a curated collection of bootkit samples that demonstrate the potential danger posed by this type of malware. These samples are provided for educational purposes and are intended to raise awareness of the threat landscape of bootkits, as well as to help security professionals better understand how to defend against them. All of them are from real-life attacks so be cautions about tweaking the sample for research or eductional purposes.
Password: danger
Bootkits has been found in the wild
| Malware/Bootkits | Disclosure date | 1st blood | Infection type | Targeted OS | Malware “vendor” |
|---|---|---|---|---|---|
| Vector-EDK (Leaked source code) | 2015 | 2014 | DXE | ? | HackingTeam |
| DerStarke | 2016 | 2013? | DXE | Windows/Linux/MacOS | Vault7 |
| QuarkMatter | 2016 | 2013? | ESP | Windows/Linux | Vault7 |
| LoJaX | 2018 | 2017 or earlier | DXE | Windows | APT28 |
| TrickBot/TrickBoot | 2020 | 2017 | DXE | Windows | N/A |
| FinSpy | 2021 | 2011 | MBR/ESP | Windows/Linux/MacOS | N/A |
| ESPecter | 2021 | 2012/2020 | MBR/ESP | Windows | N/A |
| Rovnix (Leaked source code) | 2011 | ? | MBR/VBR | Windows | N/A |
| MosaicRegressor | 2020 | ? | DXE | Windows | N/A |
| Implant.ARM.iLOBleed.a | 2021 | ? | BMC | Linux | N/A |
| MoonBounce based on Vector-EDK | 2021 | ? | DXE | Windows | APT41 |
| Conti leaked chat | 2021 | ? | CSME via undocumented HECI, SMM | Windows/Linux/? | Conti group |
| CosmicStrand | 2022 | 2017 | DXE | Windows/? | N/A |
| BlackLotus | 2022 | 2022 | ESP | Windows | N/A |
Massive exploitation
| Vulnerability | Target |
|---|---|
| CVE-2022-21894 | UEFI Secure Boot |
Threat model - "Know your enemy"
HardenedVault is mainly focus on figuring out the infection stage of bootkits, which is crucial to work on security features for defense in VaultBoot. A typical malicious firmware may check if the security protections are set and implant (write) the bootkits into SPI flash if they're not set correctly (e.g. Write protection is not set, etc). If security protections are set properly, malicious firmware might achieve the persistent by utilizing exploits (e.g. CVE-2014-8273). Bootkits usually targeted MBR/ESP in the early 2010s, but as the cost of firmware attack decreased rapidly, the modern bootkits started to target DXE or even PEI.
