A brand new Linux rootkit malware known as Pumakit has been found that makes use of stealth and superior privilege escalation methods to cover its presence on methods.
The malware is a multi-component set that features a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit.
Elastic Safety found Pumakit in a suspicious binary (‘cron’) add on VirusTotal, dated September 4, 2024, and reported having no visibility into who makes use of it and what it targets.
Usually, these instruments are utilized by superior risk actors focusing on important infrastructure and enterprise methods for espionage, monetary theft, and disruption operations.
The Pumakit
Pumakit employs a multi-stage an infection course of beginning with a dropper named ‘cron,’ which executes embedded payloads (‘/memfd:tgt’ and ‘/memfd:wpn’) totally from reminiscence.
The ‘/memfd:wpn’ payload, which executes in a toddler course of, performs surroundings checks and kernel picture manipulation and ultimately deploys the LKM rootkit module (‘puma.ko’) into the system kernel.
Embedded throughout the LKM rootkit is Kitsune SO (‘lib64/libs.so’), appearing because the userland rootkit that injects itself into processes utilizing ‘LD_PRELOAD’ to intercept system calls on the person stage.
Supply: Elastic Safety
Stealthy privilege escalation
The rootkit follows a conditional activation, checking for particular kernel symbols, safe boot standing, and different conditions earlier than loading.
Elastic says Puma makes use of the ‘kallsyms_lookup_name()’ operate to govern system conduct. This means the rootkit was designed to solely goal Linux kernels earlier than model 5.7, as newer variations now not export the operate and, subsequently, cannot be utilized by different kernel modules.
“The LKM rootkit’s means to govern system conduct begins with its use of the syscall desk and its reliance on kallsyms_lookup_name() for image decision,” explains Elastic researchers Remco Sprooten and Ruben Groenewoud.
“In contrast to fashionable rootkits focusing on kernel variations 5.7 and above, the rootkit doesn’t use kprobes, indicating it’s designed for older kernels.”
Puma hooks 18 syscalls and a number of kernel features utilizing ‘ftrace,’ to achieve privilege escalation, command execution, and the power to cover processes.
Supply: Elastic Safety
The kernel features ‘prepare_creds’ and ‘commit_creds’ are abused to switch course of credentials, granting root privileges to particular processes.
Supply: Elastic Safety
The rootkit can disguise its personal presence from kernel logs, system instruments, and antivirus, and can even disguise particular recordsdata in a listing and objects from course of lists.
If the hooks are interrupted, the rootkit reinitializes them, guaranteeing that its malicious adjustments aren’t reverted and the module can’t be unloaded.
The userland rootkit Kitsune SO operates in synergy with Puma, extending its stealth and management mechanisms to user-facing interactions.
It intercepts user-level system calls and alters the conduct of seems to be like ls, ps, netstat, prime, htop, and cat to cover recordsdata, processes, and community connections related to the rootkit
It may possibly additionally dynamically disguise every other recordsdata and directories based mostly on attacker-defined standards and make malicious binaries totally invisible to customers and system admins.
Kitsune SO additionally handles all communications with the command and management (C2) server, relaying instructions to the LKM rootkit and transmitting configuration and system information to the operators.
Apart from file hashes, Elastic Safety has printed a YARA rule to assist Linux system directors detect Pumakit assaults.
