Discovery and Capabilities

On December 13, 2024, cybersecurity experts revealed a sophisticated Linux rootkit named PUMAKIT, which has the capacity to escalate privileges, hide files and directories, and avoid detection by system tools. According to a report by Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud, PUMAKIT uses advanced stealth mechanisms to conceal its activities and maintain communications with command-and-control servers.

Technical Breakdown

Discovered through malware samples uploaded to VirusTotal in September, PUMAKIT operates with a multi-stage architecture. It features: - A dropper component known as "cron" - Two memory-resident executables ("/memfd:tgt" and "/memfd:wpn") - An LKM rootkit ("puma.ko") - A shared object userland rootkit, Kitsune ("lib64/libs.so") The rootkit employs Linux's internal function tracer (ftrace) to hook into 18 different system calls and kernel functions, such as "prepare_creds" and "commit_creds," significantly altering core system behavior.

Interaction and Deployment

Interaction with PUMAKIT involves unique methods, such as utilizing the `rmdir()` syscall for privilege escalation and customized commands for retrieving configuration and runtime information. Its staged deployment ensures activation only under specific circumstances, such as secure boot checks and kernel symbol availability. These are verified by scanning the Linux kernel, with all necessary files embedded as ELF binaries within the dropper component. The executable "/memfd:tgt" remains the unmodified standard Ubuntu Linux cron binary, while "/memfd:wpn" serves as a rootkit loader once conditions are met. The LKM rootkit, integrating an embedded SO file, facilitates interaction with the rookie from user space, maintaining stealth by relying on memory-resident files and careful checks before activation.

While PUMAKIT's origins or affiliations with any known threat actor remain undetected, its complexity and stealth, including syscall hooking and unique privilege escalation methods, underscore the escalating sophistication of threats targeting Linux environments.

The link has been copied!