FlagThis - #linux

Cybersecurity researchers have discovered a new Linux rootkit named PUMAKIT that employs sophisticated techniques to evade detection and maintain persistence. The malware utilizes a staged deployment, activating its core functionalities only under specific conditions, such as secure boot verification. PUMAKIT embeds necessary files as ELF binaries within a dropper component named "cron", ensuring all components necessary for its operations are readily available. This rootkit features a multi-stage architecture which includes a memory-resident executable named "/memfd:tgt" a loader called "/memfd:wpn", a loadable kernel module (LKM) rootkit named "puma.ko" and a shared object userland rootkit called Kitsune.

The PUMAKIT rootkit uses advanced methods such as syscall hooking, memory-resident execution, and privilege escalation, to hide its presence and maintain communication with command-and-control servers. It hooks into 18 system calls using the internal Linux function tracer (ftrace) along with functions like "prepare_creds" and "commit_creds" to alter system behaviors. Uniquely, the rootkit uses the rmdir() system call for privilege escalation. PUMAKIT ensures the LKM rootkit is activated only after specific security checks and kernel symbol verification are complete. The researchers have not yet attributed the malware to any known threat actor.


References :

• BleepingComputer: A new Linux rootkit malware called Pumakit has been discovered that uses stealth and advanced privilege escalation techniques to hide its presence on systems.
• Virus Bulletin: Elastic Security's Remco Sprooten & Ruben Groenewoud analyse the PUMAKIT malware.
• The Hacker News: New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection
• www.bleepingcomputer.com: New Stealthy PUMAKIT Linux Rootkit Malware Spotted in the Wild
• Techzine Global: New Linux malware Pumakit manages to hide itself
• AAKL: Elastic: Declawing PUMAKIT More: New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection
• jbz: New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection
• malware.news: Upstart Pumakit Linux rootkit malware examined
• www.scworld.com: Upstart Pumakit Linux rootkit malware examined
• securityaffairs.com: PUMAKIT, a sophisticated rootkit that uses advanced stealth mechanisms
• securityonline.info: Stealth, Persistence, and Privilege Escalation: A Sophisticated PUMAKIT Linux Malware

Classification:

• HashTags: #Pumakit #LinuxRootkit #AdvancedMalware
• Company: Multiple
• Target: Linux systems
• Product: Linux
• Feature: stealth
• Malware: Pumakit
• Type: Malware
• Severity: Major

A new Linux malware strain, dubbed Auto-Color, has been identified by Palo Alto Networks, targeting universities and government organizations across North America and Asia. This previously undocumented backdoor employs advanced stealth tactics to evade detection and maintain persistence on compromised systems. The method used to originally deliver Auto-Color is currently unknown, however researchers have observed that it's often executed with unassuming file names like "door," "egg," or "log."

Once executed, Auto-Color installs a malicious library named libcext.so.2, disguised as the legitimate libcext.so.0 library, and copies itself to the /var/log/cross/auto-color system directory. If running with root privileges, the malware modifies the '/etc/ld.preload' file to achieve persistence. If not running with root privileges, it skips this step. Auto-Color grants malicious actors full remote access to compromised machines, making removal exceptionally difficult without specialized tools.


References :

• Blog: Linux Systems Threated by New ‘Auto-Color’ Backdoor
• Information Security Buzz: ‘Auto-Color’ Linux Malware Uses Advanced Stealth Tactics to Evade Detection
• The Hacker News: New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems

Classification:

• HashTags: #Linux #Malware #Backdoor
• Company: Palo Alto Networks
• Target: Universities, Government
• Product: libcext.so
• Feature: Persistence
• Malware: Auto-Color
• Type: Malware
• Severity: Major