Cybersecurity researchers have exposed a brand new Linux rootkit known as PUMAKIT that includes functions to escalate privileges, disguise information and directories, and hide itself from machine equipment, whilst concurrently evading detection.
“PUMAKIT is an advanced loadable kernel module (LKM) rootkit that employs complex stealth mechanisms to cover its presence and take care of verbal exchange with command-and-control servers,” Elastic Safety Lab researchers Remco Sprooten and Ruben Groenewoud mentioned in a technical file printed Thursday.
The corporate’s research comes from artifacts uploaded to the VirusTotal malware scanning platform previous this September.
The internals of the malware is in response to a multi-stage structure that accommodates a dropper element named “cron,” two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”), an LKM rootkit (“puma.ko”), and a shared object (SO) userland rootkit known as Kitsune (“lib64/libs.so”).
It additionally makes use of the interior Linux serve as tracer (ftrace) to hook into as many as 18 other machine calls and more than a few kernel purposes corresponding to “prepare_creds,” and “commit_creds” to vary core machine behaviors and attain its targets.
“Distinctive strategies are used to have interaction with PUMA, together with the usage of the rmdir() syscall for privilege escalation and specialised instructions for extracting configuration and runtime knowledge,” the researchers mentioned.
“Thru its staged deployment, the LKM rootkit guarantees it simplest turns on when particular prerequisites, corresponding to safe boot tests or kernel image availability, are met. Those prerequisites are verified via scanning the Linux kernel, and all essential information are embedded as ELF binaries inside the dropper.”
The executable “/memfd:tgt” is the default Ubuntu Linux Cron binary sans any adjustments, while “/memfd:wpn” is a loader for the rootkit assuming the prerequisites are glad. The LKM rootkit, for its phase, incorporates an embedded SO document that is used to have interaction with the rookie from userspace.
Elastic famous that each and every degree of the an infection chain is designed to cover the malware’s presence and make the most of memory-resident information and particular tests previous to unleashing the rootkit. PUMAKIT has no longer been attributed to any identified risk actor or workforce.
“PUMAKIT is a fancy and stealthy risk that makes use of complex tactics like syscall hooking, memory-resident execution, and distinctive privilege escalation strategies. Its multi-architectural design highlights the rising sophistication of malware concentrated on Linux methods,” the researchers concluded.