A sophisticated new Linux rootkit malware, dubbed Pumakit, has been identified by Elastic Security researchers. This advanced threat employs complex stealth mechanisms and privilege escalation techniques to maintain persistence on compromised systems.
Key Components and Architecture:
– Dropper (named ‘cron’)
– Memory-resident executables
– Kernel module rootkit
– Shared object (SO) userland rootkit (Kitsune SO)
Technical Capabilities:
1. Multi-Stage Infection Process:
– Executes payloads entirely from memory
– Deploys LKM rootkit module (‘puma.ko’)
– Implements Kitsune SO for userland operations
2. Advanced Stealth Features:
– Targets Linux kernels prior to version 5.7
– Hooks 18 syscalls using ‘ftrace’
– Hides processes, files, and network connections
– Manipulates system tools (ls, ps, netstat, top, htop, cat)
3. Privilege Escalation:
– Exploits ‘prepare_creds’ and ‘commit_creds’ functions
– Grants root privileges to specific processes
– Maintains persistent access through kernel manipulation
4. Command and Control:
– Kitsune SO manages C2 communications
– Relays commands to LKM rootkit
– Transmits system information to operators
Detection and Mitigation:
Elastic Security has released file hashes and YARA rules to help system administrators identify and prevent Pumakit infections. The malware primarily targets critical infrastructure and enterprise systems for espionage, financial theft, and disruption operations.