Cybersecurity researchers have uncovered a brand new Linux rootkit referred to as PUMAKIT that comes with capabilities to escalate privileges, conceal information and directories, and conceal itself from system instruments, whereas concurrently evading detection.
“PUMAKIT is a complicated loadable kernel module (LKM) rootkit that employs superior stealth mechanisms to cover its presence and keep communication with command-and-control servers,” Elastic Safety Lab researchers Remco Sprooten and Ruben Groenewoud mentioned in a technical report revealed Thursday.
The corporate’s evaluation comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September.
The internals of the malware is predicated on a multi-stage structure that includes a dropper part named “cron,” two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”), an LKM rootkit (“puma.ko”), and a shared object (SO) userland rootkit referred to as Kitsune (“lib64/libs.so”).
It additionally makes use of the interior Linux operate tracer (ftrace) to hook into as many as 18 totally different system calls and varied kernel capabilities akin to “prepare_creds,” and “commit_creds” to change core system behaviors and achieve its objectives.
“Distinctive strategies are used to work together with PUMA, together with utilizing the rmdir() syscall for privilege escalation and specialised instructions for extracting configuration and runtime data,” the researchers mentioned.
“By way of its staged deployment, the LKM rootkit ensures it solely prompts when particular situations, akin to safe boot checks or kernel image availability, are met. These situations are verified by scanning the Linux kernel, and all needed information are embedded as ELF binaries inside the dropper.”
The executable “/memfd:tgt” is the default Ubuntu Linux Cron binary sans any modifications, whereas “/memfd:wpn” is a loader for the rootkit assuming the situations are glad. The LKM rootkit, for its half, accommodates an embedded SO file that is used to work together with the rookie from userspace.
Elastic famous that each stage of the an infection chain is designed to cover the malware’s presence and make the most of memory-resident information and particular checks previous to unleashing the rootkit. PUMAKIT has not been attributed to any identified risk actor or group.
“PUMAKIT is a fancy and stealthy risk that makes use of superior strategies like syscall hooking, memory-resident execution, and distinctive privilege escalation strategies. Its multi-architectural design highlights the rising sophistication of malware concentrating on Linux methods,” the researchers concluded.
