A brand new Linux rootkit malware known as Pumakit has been found that makes use of stealth and superior privilege escalation strategies to cover its presence on techniques.
The malware is a multi-component set that features a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit.
Elastic Safety found Pumakit in a suspicious binary (‘cron’) add on VirusTotal, dated September 4, 2024, and reported having no visibility into who makes use of it and what it targets.
Usually, these instruments are utilized by superior menace actors concentrating on crucial infrastructure and enterprise techniques for espionage, monetary theft, and disruption operations.
The Pumakit
Pumakit employs a multi-stage an infection course of beginning with a dropper named ‘cron,’ which executes embedded payloads (‘/memfd:tgt’ and ‘/memfd:wpn’) completely from reminiscence.
The ‘/memfd:wpn’ payload, which executes in a baby course of, performs surroundings checks and kernel picture manipulation and ultimately deploys the LKM rootkit module (‘puma.ko’) into the system kernel.
Embedded throughout the LKM rootkit is Kitsune SO (‘lib64/libs.so’), appearing because the userland rootkit that injects itself into processes utilizing ‘LD_PRELOAD’ to intercept system calls on the consumer degree.
Supply: Elastic Safety
Stealthy privilege escalation
The rootkit follows a conditional activation, checking for particular kernel symbols, safe boot standing, and different conditions earlier than loading.
Elastic says Puma makes use of the ‘kallsyms_lookup_name()’ operate to control system conduct. This means the rootkit was designed to solely goal Linux kernels earlier than model 5.7, as newer variations now not export the operate and, subsequently, cannot be utilized by different kernel modules.
“The LKM rootkit’s means to control system conduct begins with its use of the syscall desk and its reliance on kallsyms_lookup_name() for image decision,” explains Elastic researchers Remco Sprooten and Ruben Groenewoud.
“In contrast to fashionable rootkits concentrating on kernel variations 5.7 and above, the rootkit doesn’t use kprobes, indicating it’s designed for older kernels.”
Puma hooks 18 syscalls and a number of kernel capabilities utilizing ‘ftrace,’ to realize privilege escalation, command execution, and the flexibility to cover processes.
Supply: Elastic Safety
The kernel capabilities ‘prepare_creds’ and ‘commit_creds’ are abused to change course of credentials, granting root privileges to particular processes.
Supply: Elastic Safety
The rootkit can conceal its personal presence from kernel logs, system instruments, and antivirus, and may also conceal particular information in a listing and objects from course of lists.
If the hooks are interrupted, the rootkit reinitializes them, guaranteeing that its malicious adjustments aren’t reverted and the module can’t be unloaded.
The userland rootkit Kitsune SO operates in synergy with Puma, extending its stealth and management mechanisms to user-facing interactions.
It intercepts user-level system calls and alters the conduct of appears like ls, ps, netstat, high, htop, and cat to cover information, processes, and community connections related to the rootkit
It may well additionally dynamically conceal some other information and directories based mostly on attacker-defined standards and make malicious binaries completely invisible to customers and system admins.
Kitsune SO additionally handles all communications with the command and management (C2) server, relaying instructions to the LKM rootkit and transmitting configuration and system data to the operators.
Apart from file hashes, Elastic Safety has printed a YARA rule to assist Linux system directors detect Pumakit assaults.