New Linux Rootkit Pumakit Employs Advanced Stealth Techniques to Evade Detection

Cybersecurity researchers have uncovered a sophisticated Linux rootkit named Pumakit that leverages advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers while executing complex system manipulation techniques.

Elastic Security Lab researchers discovered the rootkit in a suspicious binary upload on VirusTotal, revealing a multi-component malware set that includes a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit.

The Pumakit employs a complex multi-stage infection process, beginning with a dropper named 'cron' that executes embedded payloads entirely from memory. The '/memfd:wpn' payload performs intricate environment checks and kernel image manipulation, ultimately deploying the LKM rootkit module ('puma.ko') into the system kernel.

PUMAKIT infection chain

A critical component of Pumakit is its sophisticated privilege escalation mechanism. The rootkit utilizes the 'kallsyms_lookup_name()' function to manipulate system behavior, specifically targeting Linux kernels before version 5.7. By hooking 18 syscalls and multiple kernel functions using ftrace, the malware can gain root privileges, execute commands, and hide processes effectively.

The kernel module demonstrates remarkable stealth capabilities, including the ability to hide its presence from kernel logs, system tools, and antivirus software. It can conceal specific files in directories and objects from process lists, and even reinitialize its hooks if interrupted, ensuring persistent malicious modifications.

Complementing the kernel-level rootkit is Kitsune, a userland rootkit that extends the malware's control mechanisms. It intercepts user-level system calls, altering the behavior of common tools like ls, ps, and netstat to hide files, processes, and network connections associated with the rootkit.

The researchers noted that Pumakit follows a conditional activation strategy, checking for specific kernel symbols and secure boot status before loading. This careful approach demonstrates the sophisticated design of the malware, which appears targeted at older Linux system versions.

Elastic Security has published a YARA rule to help Linux system administrators detect Pumakit attacks, emphasizing the importance of vigilance against such advanced threats. The discovery highlights the growing sophistication of malware targeting Linux systems, with increasingly complex techniques to evade detection and maintain persistent access.

While the researchers have not attributed Pumakit to any specific threat actor, the malware's advanced capabilities suggest a highly skilled and methodical approach to system compromise. System administrators and security professionals are advised to remain alert and implement robust security measures to protect against such sophisticated rootkit attacks.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: