Stealth, Persistence, and Privilege Escalation: A Sophisticated PUMAKIT Linux Malware

Elastic Security Labs has uncovered “PUMAKIT,” a sophisticated multi-stage malware targeting Linux systems. Initially discovered during routine threat hunting on VirusTotal, PUMAKIT exemplifies cutting-edge techniques in stealth, persistence, and privilege escalation.

The malware was first identified in a binary named cron, uploaded to VirusTotal on September 4, 2024, with zero detections. Elastic’s deeper investigation revealed an elaborate architecture comprising:

• A dropper (cron).
• Memory-resident executables (memfd:tgt and memfd:wpn).
• An LKM (Loadable Kernel Module) rootkit.
• A shared object (SO) rootkit referred to as “Kitsune.”

Elastic notes: “Each stage of the process is meticulously crafted to hide its presence, leveraging memory-resident files and precise checks on the target environment.”

PUMAKIT infection chain | Source: Elastic Security Labs

PUMAKIT’s most alarming functionalities include:

1. Privilege Escalation: Employs unconventional methods, such as using the rmdir() syscall for escalating privileges and interacting with the rootkit.
2. Stealth and Persistence: Hooks 18 syscalls using the ftrace() mechanism, concealing files, directories, and itself from system tools.
3. Environment-Aware Activation: Ensures activation only under specific conditions, such as secure boot checks or kernel symbol availability.

Elastic Security Labs highlights the LKM rootkit’s advanced hooking capabilities: “By leveraging ftrace(), the rootkit effectively intercepts syscalls and replaces their handlers with custom hooks.”

The infection process is staged and intricate:

1. Dropper Execution: The cron binary embeds and runs payloads entirely in memory, avoiding disk traces. Elastic remarks: “The choice of execveat() furthers the fileless nature of this malware’s execution.”
2. Memory-Resident Payloads: The benign tgt binary acts as a decoy, while wpn evaluates system conditions and deploys the LKM rootkit.
3. LKM Rootkit Deployment: Hooks syscalls like rmdir() and getdents64() to manipulate system behaviors, conceal its presence, and escalate privileges.

One of PUMAKIT’s standout features is its interaction model. The rootkit leverages rmdir() to execute commands, retrieve configurations, and escalate privileges. For example: Using the command rmdir zarya.0, the rootkit modifies credentials, granting root privileges within its current process.

Elastic has devised detection strategies leveraging YARA signatures and custom queries. Key indicators include:

• Processes starting with executable stacks.
• Memory-resident files like memfd:tgt.
• Syscall manipulations detected through ftrace hooks.

Elastic underscores the importance of proactive monitoring: “We can also detect the rootkits’ method of elevating privileges by analyzing the rmdir command for unusual UID/GID changes.”

For detailed indicators of compromise (IOCs) and detection rules, visit Elastic Security Labs’ GitHub repository here.

Related Posts:

• Driver Signature Enforcement Cracked: OS Downgrade Attacks Possible on Windows
• Elastic Security Labs Unveils DPRK’s New macOS Malware Plot