Researchers at Elastic Security Labs discovered PUMAKIT, a Linux malware using stealth and unique privilege escalation to persist on infected systems.
PUMAKIT has a multi-stage setup, including a dropper, two memory executables, an LKM rootkit, and a userland rootkit.
Linux Malware PUMAKIT
The malware’s structure ensures it runs its payload only under specific conditions, staying stealthy and hard to detect.
Elastic Security Labs found a suspicious binary named cron during routine threat hunting on VirusTotal. The binary, uploaded on September 4, 2024, had zero detections, raising suspicions about its stealth and malicious intent.
Researchers found another related file, /memfd:wpn (deleted), uploaded the same day with no detections.
The binaries, both undetected, suggested a sophisticated malware operation. The dropper cron creates two memory executables: /memfd:tgt, a benign Cron binary, and /memfd:wpn, a rootkit loader that deploys the LKM rootkit based on system conditions.
The malware uses the rmdir() syscall for privilege escalation instead of the common kill() method, making it harder to detect and stop.
The PUMA LKM rootkit hooks 18 syscalls and several kernel functions using ftrace, enabling it to manipulate system behaviors such as hiding files and directories, evading detection, and blocking debugging tools.
A shared object file named Kitsune enhances the rootkit’s persistence and stealth capabilities, contributing to its overall functionality.
The malware also features a sophisticated command and control (C2) infrastructure, with researchers identifying multiple C2 servers facilitating communication.
Elastic Security Labs has created EQL/KQL rules and a YARA signature to detect and prevent PUMAKIT infections.
These methods target stages of the malware’s execution, including unusual file descriptor usage, suspicious commands via kthreadd, and privilege escalation using the rmdir command.
PUMAKIT’s advanced stealth, unique privilege escalation, and multi-architectural design pose a serious threat to Linux systems. Security teams should use these detection tools and stay vigilant against this evolving malware.
Elastic Security Labs will continue monitoring PUMAKIT to keep defenders updated on new variants or changes.
IOCs
Observable | Type | Name | Reference |
---|---|---|---|
30b26707d5fb407ef39ebee37ded7edeea2890fb5ec1ebfa09a3b3edfc80db1f | SHA256 | cron | PUMAKIT dropper |
cb070cc9223445113c3217f05ef85a930f626d3feaaea54d8585aaed3c2b3cfe | SHA256 | /memfd:wpn (deleted ) | PUMAKIT loader |
934955f0411538eebb24694982f546907f3c6df8534d6019b7ff165c4d104136 | SHA256 | /memfd:tgt (deleted) | Cron binary |
8ef63f9333104ab293eef5f34701669322f1c07c0e44973d688be39c94986e27 | SHA256 | libs.so | Kitsune shared object reference |
8ad422f5f3d0409747ab1ac6a0919b1fa8d83c3da43564a685ae4044d0a0ea03 | SHA256 | some2.elf | PUMAKIT variant |
bbf0fd636195d51fb5f21596d406b92f9e3d05cd85f7cd663221d7d3da8af804 | SHA256 | some1.so | Kitsune shared object variant |
bc9193c2a8ee47801f5f44beae51ab37a652fda02cd32d01f8e88bb793172491 | SHA256 | puma.ko | LKM rootkit |
1aab475fb8ad4a7f94a7aa2b17c769d6ae04b977d984c4e842a61fb12ea99f58 | SHA256 | kitsune.so | Kitsune |
sec.opsecurity1[.]art | domain-name | PUMAKIT C2 Server | |
rhel.opsecurity1[.]art | domain-name | PUMAKIT C2 Server | |
89.23.113[.]204 | ipv4-addr | PUMAKIT C2 Server |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment