Cybersecurity researchers have uncovered a brand new Linux rootkit known as PUMAKIT that comes with capabilities to escalate privileges, conceal information and directories, and conceal itself from system instruments, whereas concurrently evading detection.
“PUMAKIT is a classy loadable kernel module (LKM) rootkit that employs superior stealth mechanisms to cover its presence and preserve communication with command-and-control servers,” Elastic Safety Lab researchers Remco Sprooten and Ruben Groenewoud stated in a technical report printed Thursday.
The corporate’s evaluation comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September.
The internals of the malware relies on a multi-stage structure that contains a dropper part named “cron,” two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”), an LKM rootkit (“puma.ko”), and a shared object (SO) userland rootkit known as Kitsune (“lib64/libs.so”).
It additionally makes use of the inner Linux operate tracer (ftrace) to hook into as many as 18 completely different system calls and varied kernel features corresponding to “prepare_creds,” and “commit_creds” to change core system behaviors and achieve its targets.
“Distinctive strategies are used to work together with PUMA, together with utilizing the rmdir() syscall for privilege escalation and specialised instructions for extracting configuration and runtime data,” the researchers stated.
“Via its staged deployment, the LKM rootkit ensures it solely prompts when particular circumstances, corresponding to safe boot checks or kernel image availability, are met. These circumstances are verified by scanning the Linux kernel, and all obligatory information are embedded as ELF binaries inside the dropper.”
The executable “/memfd:tgt” is the default Ubuntu Linux Cron binary sans any modifications, whereas “/memfd:wpn” is a loader for the rootkit assuming the circumstances are glad. The LKM rootkit, for its half, comprises an embedded SO file that is used to work together with the rookie from userspace.
Elastic famous that each stage of the an infection chain is designed to cover the malware’s presence and benefit from memory-resident information and particular checks previous to unleashing the rootkit. PUMAKIT has not been attributed to any identified risk actor or group.
“PUMAKIT is a posh and stealthy risk that makes use of superior strategies like syscall hooking, memory-resident execution, and distinctive privilege escalation strategies. Its multi-architectural design highlights the rising sophistication of malware concentrating on Linux methods,” the researchers concluded.