Home Security New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection

New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection

by


Dec 13, 2024Ravie LakshmananLinux / Threat Analysis

Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection.

“PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers,” Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud said in a technical report published Thursday.

The company’s analysis comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September.

Cybersecurity

The internals of the malware is based on a multi-stage architecture that comprises a dropper component named “cron,” two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”), an LKM rootkit (“puma.ko”), and a shared object (SO) userland rootkit called Kitsune (“lib64/libs.so”).

It also uses the internal Linux function tracer (ftrace) to hook into as many as 18 different system calls and various kernel functions such as “prepare_creds,” and “commit_creds” to alter core system behaviors and accomplish its goals.

Linux Rootkit PUMAKIT

“Unique methods are used to interact with PUMA, including using the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information,” the researchers said.

“Through its staged deployment, the LKM rootkit ensures it only activates when specific conditions, such as secure boot checks or kernel symbol availability, are met. These conditions are verified by scanning the Linux kernel, and all necessary files are embedded as ELF binaries within the dropper.”

The executable “/memfd:tgt” is the default Ubuntu Linux Cron binary sans any modifications, whereas “/memfd:wpn” is a loader for the rootkit assuming the conditions are satisfied. The LKM rootkit, for its part, contains an embedded SO file that’s used to interact with the rookie from userspace.

Cybersecurity

Elastic noted that every stage of the infection chain is designed to hide the malware’s presence and take advantage of memory-resident files and specific checks prior to unleashing the rootkit. PUMAKIT has not been attributed to any known threat actor or group.

“PUMAKIT is a complex and stealthy threat that uses advanced techniques like syscall hooking, memory-resident execution, and unique privilege escalation methods. Its multi-architectural design highlights the growing sophistication of malware targeting Linux systems,” the researchers concluded.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex