HQ/EMEAFind out how we can help your business
A newly discovered Linux rootkit, PUMAKIT, has various capabilities that could significantly benefit threat actors.
According to reports, the new Linux rootkit has confirmed features such as elevating privileges, concealing files and directories, and hiding from system tools while bypassing detection.
Researchers explained that the new tool is a sophisticated loadable kernel module (LKM) rootkit that uses advanced stealth mechanisms to conceal its presence while communicating with C2 servers.
The PUMAKIT capabilities were uncovered by studying the artefacts published on a detection platform.
Investigations on the PUMAKIT malware’s internals are based on a multi-stage design that includes a dropper component named “cron,” two memory-resident executables, an LKM rootkit, and a shared object (SO) userland rootkit dubbed Kitsune.
In addition, it uses the internal Linux function tracer to intercept up to 18 distinct system calls and kernel functions to modify core system behaviours and achieve its objectives.
The researchers also noted that they use unique methods to interface with PUMA, including the rmdir() syscall for privilege escalation and specific commands for obtaining configuration and runtime information.
Furthermore, The LKM rootkit’s staged deployment ensures that it only initiates after checking a specific set of checklists, such as secure boot checks or kernel symbol availability. These conditions are checked by scanning the Linux kernel, and all required files are embedded as ELF binaries in the dropper.
Also, the executable “/memfd:tgt” is the default Ubuntu Linux Cron binary without any modifications, whereas “/memfd:wpn” is a rootkit loader if the checklist is met. The LKM rootkit, for its part, includes an embedded SO file that is used to communicate with the rookie in userspace.
Researchers stated that each level of the infection chain is meant to hide the malware’s presence and make use of memory-resident files and certain checks before launching the rootkit. As of now, PUMAKIT is not linked to any known threat actor or group.
This newly discovered Linux malware is a sophisticated and elusive payload that employs advanced techniques. The researchers found that its multi-architectural design reflects the increasing sophistication of malware development targeting Linux devices.
Security providers should also improve their defence mechanisms to combat and counteract these increasingly sophisticated cybersecurity threats.
