December 15, 2024
New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection
Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. "PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with

Dec 13, 2024Ravie LakshmananLinux / Threat Analysis

Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection.

“PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers,” Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud said in a technical report published Thursday.

The company’s analysis comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September.

The internals of the malware is based on a multi-stage architecture that comprises a dropper component named “cron,” two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”), an LKM rootkit (“puma.ko”), and a shared object (SO) userland rootkit called Kitsune (“lib64/libs.so”).

It also uses the internal Linux function tracer (ftrace) to hook into as many as 18 different system calls and various kernel functions such as “prepare_creds,” and “commit_creds” to alter core system behaviors and accomplish its goals.

“Unique methods are used to interact with PUMA, including using the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information,” the researchers said.

“Through its staged deployment, the LKM rootkit ensures it only activates when specific conditions, such as secure boot checks or kernel symbol availability, are met. These conditions are verified by scanning the Linux kernel, and all necessary files are embedded as ELF binaries within the dropper.”

The executable “/memfd:tgt” is the default Ubuntu Linux Cron binary sans any modifications, whereas “/memfd:wpn” is a loader for the rootkit assuming the conditions are satisfied. The LKM rootkit, for its part, contains an embedded SO file that’s used to interact with the rookie from userspace.

Elastic noted that every stage of the infection chain is designed to hide the malware’s presence and take advantage of memory-resident files and specific checks prior to unleashing the rootkit. PUMAKIT has not been attributed to any known threat actor or group.

“PUMAKIT is a complex and stealthy threat that uses advanced techniques like syscall hooking, memory-resident execution, and unique privilege escalation methods. Its multi-architectural design highlights the growing sophistication of malware targeting Linux systems,” the researchers concluded.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.