Recent searches
Search options
@Olly42@nerdculture.deNew stealthy Pumakit Linux Rootkit Malware spotted in the Wild. 
IT-security researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files & directories, and conceal itself from system tools, while simultaneously evading detection.
![[ImageSource: Elastic Security]
Pumakit Infection Chain.
Pumakit employs a multi-stage infection process starting with a dropper named 'cron,' which executes embedded payloads ('/memfd:tgt' and '/memfd:wpn') entirely from memory.
The '/memfd:wpn' payload, which executes in a child process, performs environment checks and kernel image manipulation and eventually deploys the LKM rootkit module ('puma.ko') into the system kernel.
Embedded within the LKM rootkit is Kitsune SO ('lib64/libs.so'), acting as the userland rootkit that injects itself into processes using 'LD_PRELOAD' to intercept system calls at the user level.](https://nerdculture.de/system/media_attachments/files/113/668/438/855/297/738/original/216f1cea50989548.jpeg "[ImageSource: Elastic Security]
Pumakit Infection Chain.
Pumakit employs a multi-stage infection process starting with a dropper named 'cron,' which executes embedded payloads ('/memfd:tgt' and '/memfd:wpn') entirely from memory.
The '/memfd:wpn' payload, which executes in a child process, performs environment checks and kernel image manipulation and eventually deploys the LKM rootkit module ('puma.ko') into the system kernel.
Embedded within the LKM rootkit is Kitsune SO ('lib64/libs.so'), acting as the userland rootkit that injects itself into processes using 'LD_PRELOAD' to intercept system calls at the user level.")
![[ImageSource: Elastic Security]
Pumakit using ftrace to hook Syscalls.
The malware uses the internal Linux function tracer (ftrace) to hook into as many as 18 different system calls and various kernel functions such as "prepare_creds," and "commit_creds" to alter core system behaviors and accomplish its goals.
<https://www.kernel.org/doc/html/latest/trace/ftrace.html>
"Unique methods are used to interact with Pumakid, including using the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information," the researchers said.](https://nerdculture.de/system/media_attachments/files/113/668/440/433/885/855/original/d7035fe0f3215810.png "[ImageSource: Elastic Security]
Pumakit using ftrace to hook Syscalls.
The malware uses the internal Linux function tracer (ftrace) to hook into as many as 18 different system calls and various kernel functions such as \"prepare_creds,\" and \"commit_creds\" to alter core system behaviors and accomplish its goals.
<https://www.kernel.org/doc/html/latest/trace/ftrace.html>
\"Unique methods are used to interact with Pumakid, including using the rmdir() syscall for privilege escalation and specialized commands for extracting configuration and runtime information,\" the researchers said.")
So what? That does sound like a tool for three-letter-agencies. No mention of the attack vector. How does this beast get into the system in the first place? How does the system get infected? Evil Maid? Manipulation while "checking" the device?
The company's analysis comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September.
<https://www.virustotal.com/gui/file/30b26707d5fb407ef39ebee37ded7edeea2890fb5ec1ebfa09a3b3edfc80db1f>
<https://www.virustotal.com/gui/file/71cc6a6547b5afda1844792ace7d5437d7e8d6db1ba995e1b2fb760699693f24>
Besides file hashes, Elastic Security has published a YARA rule to help Linux system administrators detect Pumakit attacks.
@Olly42
Still AFTER the infection.
How does that happen?