2024-12-27 04:13:11 Pacfic
Pumakit Linux Rootkit Uses Stealth Tactics - 13d
Cybersecurity researchers have discovered a new Linux rootkit named PUMAKIT that employs sophisticated techniques to evade detection and maintain persistence. The malware utilizes a staged deployment, activating its core functionalities only under specific conditions, such as secure boot verification. PUMAKIT embeds necessary files as ELF binaries within a dropper component named "cron", ensuring all components necessary for its operations are readily available. This rootkit features a multi-stage architecture which includes a memory-resident executable named "/memfd:tgt" a loader called "/memfd:wpn", a loadable kernel module (LKM) rootkit named "puma.ko" and a shared object userland rootkit called Kitsune.
The PUMAKIT rootkit uses advanced methods such as syscall hooking, memory-resident execution, and privilege escalation, to hide its presence and maintain communication with command-and-control servers. It hooks into 18 system calls using the internal Linux function tracer (ftrace) along with functions like "prepare_creds" and "commit_creds" to alter system behaviors. Uniquely, the rootkit uses the rmdir() system call for privilege escalation. PUMAKIT ensures the LKM rootkit is activated only after specific security checks and kernel symbol verification are complete. The researchers have not yet attributed the malware to any known threat actor.
ImgSrc: www.bleepstatic.com
References:
- @BleepingComputer - A new Linux rootkit malware called Pumakit has been discovered that uses stealth and advanced privilege escalation techniques to hide its presence on systems. - 13d
- @VirusBulletin - Elastic Security's Remco Sprooten & Ruben Groenewoud analyse the PUMAKIT malware. - 13d
- The Hacker News - New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection - 13d
- Over Security - New Stealthy PUMAKIT Linux Rootkit Malware Spotted in the Wild - 13d
- Techzine Global - New Linux malware Pumakit manages to hide itself - 13d
- @AAKL - Elastic: Declawing PUMAKIT More: New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection - 13d
- @jbz - New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection - 12d
- Malware Analysis, News and Indicators - Upstart Pumakit Linux rootkit malware examined - 12d
- SCM feed for Threat Management - Upstart Pumakit Linux rootkit malware examined - 12d
- Security Affairs - PUMAKIT, a sophisticated rootkit that uses advanced stealth mechanisms - 11d
- Malware Archives - Stealth, Persistence, and Privilege Escalation: A Sophisticated PUMAKIT Linux Malware - 11d
Classification:
- HashTags: Pumakit LinuxRootkit AdvancedMalware
- Company: Multiple
- Target: Linux systems
- Product: Linux
- Feature: stealth
- Type: Malware
- Severity: Major