Firmware threats such as bootkits and implants have become increasingly prevalent due to their persistence and ability to evade detection compared to traditional OS-level malware. Attackers favor these threats because they can remain undetected even when conventional security measures are in place, especially if UEFI Secure Boot is disabled through physical access or UEFI exploits. Detecting unknown bootkits under these circumstances is a critical challenge in cybersecurity. Mostly, all the publicly known UEFI implants and bootkits have been detected after successful deployment, which points to the limitations of the existing security solutions.
This presentation introduces a novel methodology for detecting UEFI bootkits by analyzing their unique code behaviors. We conducted an in-depth study of existing bootkits—including Lojax, MosaicRegressor, MoonBounce, CosmicStrand, ESPecter, and BlackLotus. During our REsearch we identified common code characteristics such as hook chains, persistence mechanisms, and other distinctive features. Leveraging these insights, we developed the methodology for generic detection techniques based on code similarity.
In addition, we crafted Yara and FwHunt rules focusing on the OS kernel and driver hooks implemented by bootkits. Applying our approach through VirusTotal retrohunts and Binarly Risk Hunt telemetry data led to the discovery of six previously unidentified bootkit samples. Notably, three of these samples were entirely undetected by existing security tools, while the others had minimal detections but were not recognized as bootkits. These findings not only validate the effectiveness of our detection strategy but also highlight the ongoing challenges in bootkit detection within threat intelligence. By shedding light on these elusive threats, our research advances firmware security and underscores the necessity for continued efforts to enhance detection capabilities against sophisticated bootkits.