Bootkit sample from real-life attack. Be careful about tweaking the sample for research purpose.
Password: danger
| Malware/Bootkits | Disclosure date | 1st blood | Infection type | Targeted OS | Malware “vendor” |
|---|---|---|---|---|---|
| Vector-EDK (Leaked source code) | 2015 | 2014 | DXE | ? | HackingTeam |
| DerStarke | 2016 | 2013? | DXE | Windows/Linux/MacOS | Vault7 |
| QuarkMatter | 2016 | 2013? | ESP | Windows/Linux | Vault7 |
| LoJaX | 2018 | 2017 or earlier | DXE | Windows | APT28 |
| TrickBot/TrickBoot | 2020 | 2017 | DXE | Windows | N/A |
| FinSpy | 2021 | 2011 | MBR/ESP | Windows/Linux/MacOS | N/A |
| ESPecter | 2021 | 2012/2020 | MBR/ESP | Windows | N/A |
| Rovnix (Leaked source code) | 2011 | ? | MBR/VBR | Windows | N/A |
| MosaicRegressor | 2020 | ? | DXE | Windows | N/A |
| Implant.ARM.iLOBleed.a | 2021 | ? | BMC | Linux | N/A |
| MoonBounce based on Vector-EDK | 2021 | ? | DXE | Windows | APT41 |
| Conti leaked chat | 2021 | ? | CSME via undocumented HECI, SMM | Windows/Linux/? | Conti group |
HardenedVault is mainly focus on figuring out the infection stage of bootkits, which is crucial to work on security features for defense in VaultBoot. A typical malicious firmware may check if the security protections are set and implant (write) the bootkits into SPI flash if they're not set correctly (e.g. Write protection is not set, etc). If security protections are set properly, malicious firmware might achieve the persistent by utilizing exploits (e.g. CVE-2014-8273). Bootkits usually targeted MBR/ESP in the early 2010s, but as the cost of firmware attack decreased rapidly, the modern bootkits started to target DXE or even PEI.
