Skip to content

hardenedvault/bootkit-samples

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Bootkit Showcase: Real-World Examples of Infrastructure Security Threats

Bootkits are a type of malware that infects the boot process of a computer, allowing attackers to gain persistent access and control over the system. Despite their potential to cause significant damage, many people, including security professionals, may not be familiar with the threat they pose to infrastructure security. This repository is a curated collection of bootkit samples that demonstrate the potential danger posed by this type of malware. These samples are provided for educational purposes and are intended to raise awareness of the threat landscape of bootkits, as well as to help security professionals better understand how to defend against them. All of them are from real-life attacks so be cautions about tweaking the sample for research or eductional purposes.

Password: danger

Bootkits has been found in the wild

Malware/Bootkits Disclosure date 1st blood Infection type Targeted OS Malware “vendor”
Vector-EDK (Leaked source code) 2015 2014 DXE ? HackingTeam
DerStarke 2016 2013? DXE Windows/Linux/MacOS Vault7
QuarkMatter 2016 2013? ESP Windows/Linux Vault7
LoJaX 2018 2017 or earlier DXE Windows APT28
TrickBot/TrickBoot 2020 2017 DXE Windows N/A
FinSpy 2021 2011 MBR/ESP Windows/Linux/MacOS N/A
ESPecter 2021 2012/2020 MBR/ESP Windows N/A
Rovnix (Leaked source code) 2011 ? MBR/VBR Windows N/A
MosaicRegressor 2020 ? DXE Windows N/A
Implant.ARM.iLOBleed.a 2021 ? BMC Linux N/A
MoonBounce based on Vector-EDK 2021 ? DXE Windows APT41
Conti leaked chat 2021 ? CSME via undocumented HECI, SMM Windows/Linux/? Conti group
CosmicStrand 2022 2017 DXE Windows/? N/A
BlackLotus 2022 2022 ESP Windows N/A
Bootkitty 2024 2024 ESP Linux N/A

Massive exploitation

Vulnerability Target
CVE-2022-21894 UEFI Secure Boot
LogoFAIL (CVE-2023-40238) UEFI

Threat model - "Know your enemy"

HardenedVault is mainly focus on figuring out the infection stage of bootkits, which is crucial to work on security features for defense in VaultBoot. A typical malicious firmware may check if the security protections are set and implant (write) the bootkits into SPI flash if they're not set correctly (e.g. Write protection is not set, etc). If security protections are set properly, malicious firmware might achieve the persistent by utilizing exploits (e.g. CVE-2014-8273). Bootkits usually targeted MBR/ESP in the early 2010s, but as the cost of firmware attack decreased rapidly, the modern bootkits started to target DXE or even PEI.

1

Reference

About

Bootkit sample for firmware attack

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published