Security researchers have uncovered a new Linux rootkit named PUMAKIT, featuring capabilities such as privilege escalation, file and directory hiding, and self-concealment from system tools to avoid detection.
According to a report from Elastic Security Lab, PUMAKIT is an advanced Loadable Kernel Module (LKM) rootkit that leverages modern stealth mechanisms to maintain persistent connections with Command-and-Control (C2) servers. This discovery is based on malicious samples uploaded to VirusTotal in September 2024.
PUMAKIT is built on a multi-layered architecture, including the following components:
- Dropper: Named “cron,” this serves as the starting point for deploying the rootkit.
- Two memory-resident executables:
/memfd:tgt(Ubuntu’s default cron file)/memfd:wpn(the rootkit loader)
- LKM rootkit: A file named
puma.kocontaining malicious code and interacting with the kernel. - Userland rootkit: A shared object (SO) file named
Kitsune(lib64/libs.so), designed to perform rootkit activities from the user space.
Each stage of the infection chain is engineered to obfuscate the presence of malicious code. PUMAKIT uses memory-resident files to avoid direct disk storage, and it employs strict checks before activating the rootkit.
One notable technique involves the use of the rmdir() command for privilege escalation, along with specialized commands to extract configuration details or runtime information.
So far, there is no evidence linking PUMAKIT to any specific hacker group or threat actor. However, researchers emphasize that this rootkit represents a highly sophisticated and complex threat, posing significant risks to Linux systems.
Source: The Hacker News
