Security researchers at Elastic Security Lab have identified a sophisticated Linux rootkit named PUMAKIT, featuring advanced capabilities to evade detection while maintaining system control. The malware was discovered through artifacts uploaded to VirusTotal in September 2023.
PUMAKIT’s Architecture and Components:
– Dropper component (“cron”)
– Two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”)
– LKM rootkit (“puma.ko”)
– Userland rootkit Kitsune (“lib64/libs.so”)
Key Features:
– Privilege escalation using rmdir() syscall
– File and directory concealment
– Self-hiding capabilities
– Command-and-control server communication
– Hooks into 18 different system calls
– Manipulation of kernel functions
The rootkit employs a sophisticated multi-stage deployment process, activating only when specific conditions are met, including secure boot checks and kernel symbol availability. It utilizes the Linux function tracer (ftrace) to modify core system behaviors and maintains stealth through memory-resident files.
While PUMAKIT demonstrates increasing sophistication in Linux-targeted malware, it has not been attributed to any specific threat actor. Its complex architecture and advanced evasion techniques represent a significant evolution in Linux system threats.