New stealthy Pumakit Linux rootkit malware noticed within the wild

A brand new Linux rootkit malware referred to as Pumakit has been found that makes use of stealth and superior privilege escalation methods to cover its presence on techniques.

The malware is a multi-component set that features a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit.

Elastic Safety found Pumakit in a suspicious binary (‘cron’) add on VirusTotal, dated September 4, 2024, and reported having no visibility into who makes use of it and what it targets.

Usually, these instruments are utilized by superior risk actors focusing on essential infrastructure and enterprise techniques for espionage, monetary theft, and disruption operations. 

The Pumakit

Pumakit employs a multi-stage an infection course of beginning with a dropper named ‘cron,’ which executes embedded payloads (‘/memfd:tgt’ and ‘/memfd:wpn’) totally from reminiscence.

The ‘/memfd:wpn’ payload, which executes in a toddler course of, performs atmosphere checks and kernel picture manipulation and ultimately deploys the LKM rootkit module (‘puma.ko’) into the system kernel.

Embedded throughout the LKM rootkit is Kitsune SO (‘lib64/libs.so’), appearing because the userland rootkit that injects itself into processes utilizing ‘LD_PRELOAD’ to intercept system calls on the consumer degree.

Pumakit infection chain
Pumakit an infection chain
Supply: Elastic Safety

Stealthy privilege escalation

The rootkit follows a conditional activation, checking for particular kernel symbols, safe boot standing, and different conditions earlier than loading.

Elastic says Puma makes use of the ‘kallsyms_lookup_name()’ perform to control system conduct. This means the rootkit was designed to solely goal Linux kernels earlier than model 5.7, as newer variations now not export the perform and, due to this fact, cannot be utilized by different kernel modules.

“The LKM rootkit’s ability to manipulate system behavior begins with its use of the syscall table and its reliance on kallsyms_lookup_name() for symbol resolution,” explains Elastic researchers Remco Sprooten and Ruben Groenewoud.

“Unlike modern rootkits targeting kernel versions 5.7 and above, the rootkit does not use kprobes, indicating it is designed for older kernels.”

Puma hooks 18 syscalls and a number of kernel features utilizing ‘ftrace,’ to realize privilege escalation, command execution, and the flexibility to cover processes.

Using ftrace to hook syscalls
Utilizing ftrace to hook syscalls
Supply: Elastic Safety

The kernel features ‘prepare_creds’ and ‘commit_creds’ are abused to switch course of credentials, granting root privileges to particular processes.

Performing privilege escalation
Performing privilege escalation
Supply: Elastic Safety

The rootkit can conceal its personal presence from kernel logs, system instruments, and antivirus, and also can conceal particular recordsdata in a listing and objects from course of lists.

If the hooks are interrupted, the rootkit reinitializes them, making certain that its malicious adjustments aren’t reverted and the module can’t be unloaded.

The userland rootkit Kitsune SO operates in synergy with Puma, extending its stealth and management mechanisms to user-facing interactions.

It intercepts user-level system calls and alters the conduct of appears like ls, ps, netstat, prime, htop, and cat to cover recordsdata, processes, and community connections related to the rootkit

It will possibly additionally dynamically conceal every other recordsdata and directories primarily based on attacker-defined standards and make malicious binaries totally invisible to customers and system admins.

Kitsune SO additionally handles all communications with the command and management (C2) server, relaying instructions to the LKM rootkit and transmitting configuration and system information to the operators.

In addition to file hashes, Elastic Safety has printed a YARA rule to assist Linux system directors detect Pumakit assaults.

Recent articles