CyberSecurity news
FlagThis
@feeds.feedburner.com
//
Cybersecurity researchers have discovered a new Linux rootkit named PUMAKIT that employs sophisticated techniques to evade detection and maintain persistence. The malware utilizes a staged deployment, activating its core functionalities only under specific conditions, such as secure boot verification. PUMAKIT embeds necessary files as ELF binaries within a dropper component named "cron", ensuring all components necessary for its operations are readily available. This rootkit features a multi-stage architecture which includes a memory-resident executable named "/memfd:tgt" a loader called "/memfd:wpn", a loadable kernel module (LKM) rootkit named "puma.ko" and a shared object userland rootkit called Kitsune.
The PUMAKIT rootkit uses advanced methods such as syscall hooking, memory-resident execution, and privilege escalation, to hide its presence and maintain communication with command-and-control servers. It hooks into 18 system calls using the internal Linux function tracer (ftrace) along with functions like "prepare_creds" and "commit_creds" to alter system behaviors. Uniquely, the rootkit uses the rmdir() system call for privilege escalation. PUMAKIT ensures the LKM rootkit is activated only after specific security checks and kernel symbol verification are complete. The researchers have not yet attributed the malware to any known threat actor.
ImgSrc: www.bleepstatic
References :
The PUMAKIT rootkit uses advanced methods such as syscall hooking, memory-resident execution, and privilege escalation, to hide its presence and maintain communication with command-and-control servers. It hooks into 18 system calls using the internal Linux function tracer (ftrace) along with functions like "prepare_creds" and "commit_creds" to alter system behaviors. Uniquely, the rootkit uses the rmdir() system call for privilege escalation. PUMAKIT ensures the LKM rootkit is activated only after specific security checks and kernel symbol verification are complete. The researchers have not yet attributed the malware to any known threat actor.
ImgSrc: www.bleepstatic
Share:
References :
- BleepingComputer: A new Linux rootkit malware called Pumakit has been discovered that uses stealth and advanced privilege escalation techniques to hide its presence on systems.
- Virus Bulletin: Elastic Security's Remco Sprooten & Ruben Groenewoud analyse the PUMAKIT malware.
- The Hacker News: New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection
- www.bleepingcomputer.com: New Stealthy PUMAKIT Linux Rootkit Malware Spotted in the Wild
- Techzine Global: New Linux malware Pumakit manages to hide itself
- infosec.exchange: Elastic: Declawing PUMAKIT More: New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection
- indieweb.social: New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection
- malware.news: Upstart Pumakit Linux rootkit malware examined
- www.scworld.com: Upstart Pumakit Linux rootkit malware examined
- securityaffairs.com: PUMAKIT, a sophisticated rootkit that uses advanced stealth mechanisms
- securityonline.info: Stealth, Persistence, and Privilege Escalation: A Sophisticated PUMAKIT Linux Malware