A new Linux rootkit named PUMAKIT has been discovered by cybersecurity researchers, equipped with capabilities to escalate privileges, hide files, and evade detection. Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud described PUMAKIT as a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to maintain communication with command-and-control servers.
The malware analysis was based on artifacts uploaded to the VirusTotal platform in September. PUMAKIT is built on a multi-stage architecture, including components like a dropper named “cron,” memory-resident executables, an LKM rootkit, and a shared object userland rootkit called Kitsune. It utilizes the ftrace function tracer to hook into system calls and kernel functions to manipulate core system behaviors.
The researchers highlighted unique methods used by PUMAKIT, such as leveraging the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information. The rootkit ensures staged deployment, activating only under specific conditions like secure boot checks or kernel symbol availability, by scanning the Linux kernel and embedding necessary files as ELF binaries within the dropper.
The infection chain of PUMAKIT is designed to hide its presence and exploit memory-resident files and specific checks before deploying the rootkit. Despite its complexity and stealthy nature, PUMAKIT has not been linked to any specific threat actor or group. The researchers concluded that the malware’s design reflects the increasing sophistication of threats targeting Linux systems.
For more exclusive content on cybersecurity, follow The Hacker News on Twitter and LinkedIn.
Source link