Stealthy Linux Rootkit PUMAKIT Unleashes Advanced Arsenal to Dodge Security Defenses

Stealthy Linux Rootkit PUMAKIT Unleashes Advanced Arsenal to Dodge Security Defenses

New Linux Rootkit PUMAKIT Discovered with Advanced Stealth Capabilities

Security researchers at Elastic Security Lab have identified a sophisticated Linux rootkit named PUMAKIT, featuring advanced capabilities to evade detection while maintaining system control. The malware was discovered through artifacts uploaded to VirusTotal in September 2023.

PUMAKIT’s Architecture and Components:
– Dropper component (“cron”)
– Two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”)
– LKM rootkit (“puma.ko”)
– Userland rootkit Kitsune (“lib64/libs.so”)

Key Features:
– Privilege escalation using rmdir() syscall
– File and directory concealment
– Self-hiding capabilities
– Command-and-control server communication
– Hooks into 18 different system calls
– Manipulation of kernel functions

The rootkit employs a sophisticated multi-stage deployment process, activating only when specific conditions are met, including secure boot checks and kernel symbol availability. It utilizes the Linux function tracer (ftrace) to modify core system behaviors and maintains stealth through memory-resident files.

While PUMAKIT demonstrates increasing sophistication in Linux-targeted malware, it has not been attributed to any specific threat actor. Its complex architecture and advanced evasion techniques represent a significant evolution in Linux system threats.

Share This Article