Skip to content

T1542.003 Bootkit

Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer’s operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

In BIOS systems, a bootkit may modify the Master Boot Record (MBR) and/or Volume Boot Record (VBR).2 The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.1

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.

In UEFI (Unified Extensible Firmware Interface) systems, a bootkit may instead create or modify files in the EFI system partition (ESP). The ESP is a partition on data storage used by devices containing UEFI that allows the system to boot the OS and other utilities used by the system. An adversary can use the newly created or patched files in the ESP to run malicious kernel code.43

Item Value
ID T1542.003
Sub-techniques T1542.001, T1542.002, T1542.003, T1542.004, T1542.005
Tactics TA0003, TA0005
Platforms Linux, Windows
Version 1.2
Created 19 December 2019
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G0007 APT28 APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.21
G0096 APT41 APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.18
S0114 BOOTRASH BOOTRASH is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.21415
S0484 Carberp Carberp has installed a bootkit on the system to maintain persistence.7
S0182 FinFisher Some FinFisher variants incorporate an MBR rootkit.1716
G0032 Lazarus Group Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.2019
S0112 ROCKBOOT ROCKBOOT is a Master Boot Record (MBR) bootkit that uses the MBR to establish persistence.14
S0266 TrickBot TrickBot can implant malicious code into a compromised device’s firmware.13
S0689 WhisperGate WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.91011812

Mitigations

ID Mitigation Description
M1046 Boot Integrity Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised.65
M1026 Privileged Account Management Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit.

References

  1. Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014. 

  2. Martin Smolár. (2023, March 1). BlackLotus UEFI bootkit: Myth confirmed. Retrieved February 11, 2025. 

  3. Microsoft Incident Response. (2023, April 11). Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign. Retrieved February 12, 2025. 

  4. Microsoft. (n.d.). Secure the Windows 10 boot process. Retrieved April 23, 2020. 

  5. Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016. 

  6. Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020. 

  7. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  8. Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022. 

  9. Cybereason Nocturnus. (2022, February 15). Cybereason vs. WhisperGate and HermeticWiper. Retrieved March 10, 2022. 

  10. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022. 

  11. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  12. Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021. 

  13. Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016. 

  14. Glyer, C.. (2017, June 22). Boot What?. Retrieved November 17, 2024. 

  15. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  16. FinFisher. (n.d.). Retrieved September 12, 2024. 

  17. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  18. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024. 

  19. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  20. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.