Stealthy Linux Malware PUMAKIT Escalates Privileges

Home/Internet Security, Linux Malware, Malware, Security Advisory, Security Update/Stealthy Linux Malware PUMAKIT Escalates Privileges

Stealthy Linux Malware PUMAKIT Escalates Privileges

Researchers at Elastic Security Labs discovered PUMAKIT, a Linux malware using stealth and unique privilege escalation to persist on infected systems.

PUMAKIT has a multi-stage setup, including a dropper, two memory executables, an LKM rootkit, and a userland rootkit.

Linux Malware PUMAKIT

The malware’s structure ensures it runs its payload only under specific conditions, staying stealthy and hard to detect.

Elastic Security Labs found a suspicious binary named cron during routine threat hunting on VirusTotal. The binary, uploaded on September 4, 2024, had zero detections, raising suspicions about its stealth and malicious intent.

PUMAKIT Infection Chain

Researchers found another related file, /memfd:wpn (deleted), uploaded the same day with no detections.

The binaries, both undetected, suggested a sophisticated malware operation. The dropper cron creates two memory executables: /memfd:tgt, a benign Cron binary, and /memfd:wpn, a rootkit loader that deploys the LKM rootkit based on system conditions.

The malware uses the rmdir() syscall for privilege escalation instead of the common kill() method, making it harder to detect and stop.

The PUMA LKM rootkit hooks 18 syscalls and several kernel functions using ftrace, enabling it to manipulate system behaviors such as hiding files and directories, evading detection, and blocking debugging tools.

A shared object file named Kitsune enhances the rootkit’s persistence and stealth capabilities, contributing to its overall functionality.

The malware also features a sophisticated command and control (C2) infrastructure, with researchers identifying multiple C2 servers facilitating communication.

Elastic Security Labs has created EQL/KQL rules and a YARA signature to detect and prevent PUMAKIT infections.

These methods target stages of the malware’s execution, including unusual file descriptor usage, suspicious commands via kthreadd, and privilege escalation using the rmdir command.

PUMAKIT’s advanced stealth, unique privilege escalation, and multi-architectural design pose a serious threat to Linux systems. Security teams should use these detection tools and stay vigilant against this evolving malware.

Elastic Security Labs will continue monitoring PUMAKIT to keep defenders updated on new variants or changes.

IOCs

ObservableTypeNameReference
30b26707d5fb407ef39ebee37ded7edeea2890fb5ec1ebfa09a3b3edfc80db1fSHA256cronPUMAKIT dropper
cb070cc9223445113c3217f05ef85a930f626d3feaaea54d8585aaed3c2b3cfeSHA256/memfd:wpn (deleted)PUMAKIT loader
934955f0411538eebb24694982f546907f3c6df8534d6019b7ff165c4d104136SHA256/memfd:tgt (deleted)Cron binary
8ef63f9333104ab293eef5f34701669322f1c07c0e44973d688be39c94986e27SHA256libs.soKitsune shared object reference
8ad422f5f3d0409747ab1ac6a0919b1fa8d83c3da43564a685ae4044d0a0ea03SHA256some2.elfPUMAKIT variant
bbf0fd636195d51fb5f21596d406b92f9e3d05cd85f7cd663221d7d3da8af804SHA256some1.soKitsune shared object variant
bc9193c2a8ee47801f5f44beae51ab37a652fda02cd32d01f8e88bb793172491SHA256puma.koLKM rootkit
1aab475fb8ad4a7f94a7aa2b17c769d6ae04b977d984c4e842a61fb12ea99f58SHA256kitsune.soKitsune
sec.opsecurity1[.]artdomain-namePUMAKIT C2 Server
rhel.opsecurity1[.]artdomain-namePUMAKIT C2 Server
89.23.113[.]204ipv4-addrPUMAKIT C2 Server

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-12-13T23:35:30+05:30 December 13th, 2024|Internet Security, Linux Malware, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!