Pumakit: A New Linux Rootkit with Advanced Stealth and Privilege Escalation
A newly identified Linux rootkit malware, named Pumakit, has been discovered leveraging stealthy techniques and advanced privilege escalation methods to evade detection and compromise systems. This sophisticated malware consists of multiple components, including a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit.
Discovery and Attribution
Elastic Security identified Pumakit from a suspicious binary named ‘cron’ uploaded to VirusTotal on September 4, 2024. While details about its deployment or specific targets remain unclear, such tools are commonly used by advanced threat actors aiming at critical infrastructure and enterprise systems for espionage, financial theft, and operational disruption.
The Pumakit Malware Architecture
Multi-Stage Infection Process
-
Dropper Execution: The infection begins with the execution of a dropper called ‘cron,’ which runs embedded payloads (‘/memfd:tgt’ and ‘/memfd:wpn’) entirely from memory.
-
Kernel Module Deployment: The ‘/memfd:wpn’ payload conducts environment checks and kernel image manipulation before deploying the LKM rootkit module (‘puma.ko’) into the system kernel.
-
Userland Rootkit Injection: The LKM rootkit embeds the Kitsune SO (‘lib64/libs.so’) userland rootkit. Kitsune uses the
LD_PRELOADmechanism to intercept and manipulate system calls at the user level.
Pumakit infection chain
Source: Elastic Security