PUMAKIT LKM Rootkit: A New Threat Targeting Linux Systems
A new loadable kernel module (LKM) rootkit named PUMAKIT has been discovered, posing a significant threat to Linux systems. Unveiled by Elastic Security researchers during routine threat hunting on VirusTotal, this advanced malware boasts stealth and privilege escalation capabilities. PUMAKIT leverages a multi-stage deployment strategy, making it a sophisticated tool for attackers to compromise systems.
Multi-Stage Deployment
PUMAKIT’s infection begins with a tampered “cron” binary acting as a dropper. This binary masquerades as a legitimate system process, allowing the malware to evade initial detection. The dropper deploys two memory-resident executables:
/memfd:tgt: A benign cron binary.
/memfd:wpn: A rootkit loader tasked with executing additional payloads and preparing the system for rootkit installation.
The deployment process is finalized using a temporary script (“script.sh”) executed from the /tmp directory. This script loads the PUMA kernel rootkit module, embedding the Kitsune shared object (SO) to enable userland interactions. This layered approach ensures the malware’s persistence and stealth.
Advanced Features
The PUMA rootkit targets Linux kernels below version 5.7, exploiting the now-deprecated kallsyms_lookup_name() function. Key capabilities include:
Privilege Escalation: Modifying credentials using prepare_creds and commit_creds to grant root access.
Stealth Techniques: Hiding files, directories, and processes to evade detection by system tools.
Evasion Mechanisms: Implementing anti-debugging techniques and activating only under specific conditions, such as secure boot status and kernel symbol verification.
Command and Control (C2): Facilitating communication with remote servers for further exploitation.
The rootkit employs an internal Linux function tracer (ftrace) to hook into 18 syscalls and several kernel functions. This manipulation enables attackers to alter core system behaviors, execute commands, and conceal their presence.
Timeline and Attribution
Elastic Security traced PUMAKIT’s deployment to September 4, 2024, when the malicious “cron” binary was uploaded to VirusTotal. The sophisticated nature of this malware suggests its use by advanced persistent threat (APT) groups targeting critical systems.
Conclusion
PUMAKIT highlights the evolving threat landscape for Linux systems. Its advanced features and multi-stage deployment underscore the importance of robust security measures, including updating systems to newer kernel versions and monitoring for unusual system activity. Organizations must remain vigilant to counter this and similar threats effectively.
Click below and ‘share’ this article!