Cybersecurity researchers have uncovered a brand new Linux rootkit known as PUMAKIT that comes with capabilities to escalate privileges, disguise information and directories, and conceal itself from system instruments, whereas concurrently evading detection.
“PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers,” Elastic Safety Lab researchers Remco Sprooten and Ruben Groenewoud mentioned in a technical report printed Thursday.
The corporate’s evaluation comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September.
The internals of the malware relies on a multi-stage structure that includes a dropper element named “cron,” two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”), an LKM rootkit (“puma.ko”), and a shared object (SO) userland rootkit known as Kitsune (“lib64/libs.so”).
It additionally makes use of the inner Linux perform tracer (ftrace) to hook into as many as 18 totally different system calls and varied kernel capabilities similar to “prepare_creds,” and “commit_creds” to change core system behaviors and achieve its targets.
“Unique methods are used to interact with PUMA, including using the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information,” the researchers mentioned.
“Through its staged deployment, the LKM rootkit ensures it only activates when specific conditions, such as secure boot checks or kernel symbol availability, are met. These conditions are verified by scanning the Linux kernel, and all necessary files are embedded as ELF binaries within the dropper.”
The executable “/memfd:tgt” is the default Ubuntu Linux Cron binary sans any modifications, whereas “/memfd:wpn” is a loader for the rootkit assuming the situations are happy. The LKM rootkit, for its half, accommodates an embedded SO file that is used to work together with the rookie from userspace.
Elastic famous that each stage of the an infection chain is designed to cover the malware’s presence and benefit from memory-resident information and particular checks previous to unleashing the rootkit. The corporate advised The Hacker Information that it isn’t attributing PUMAKIT to any identified risk actor or group at this stage.
“PUMAKIT is a complex and stealthy threat that uses advanced techniques like syscall hooking, memory-resident execution, and unique privilege escalation methods. Its multi-architectural design highlights the growing sophistication of malware targeting Linux systems,” the researchers concluded.