Full Report
Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. "PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with
Analysis Summary
# Tool/Technique: PUMAKIT
## Overview
PUMAKIT is a sophisticated Linux rootkit, implemented as a Loadable Kernel Module (LKM), designed to escalate privileges, hide files and directories, conceal its presence from system tools, and maintain covert communication with command-and-control (C2) servers. It employs an advanced, multi-stage architecture for deployment and stealth.
## Technical Details
- Type: Malware (Rootkit - LKM and Userland SO)
- Platform: Linux
- Capabilities: Privilege escalation, file/directory hiding, kernel function hooking, C2 communication, stealth evasion.
- First Seen: Artifacts analyzed were uploaded to VirusTotal in September 2024.
## MITRE ATT&CK Mapping
PUMAKIT employs techniques across multiple stages:
- **Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Not directly mapping, but LKM ensures persistence upon system boot/load)
- **Privilege Escalation**
- T1068 - Exploitation for Privilege Escalation (Implied via kernel manipulation)
- **Defense Evasion**
- T1070.004 - File Deletion (Used for hiding components)
- T1089 - Application Layer Protocol (Implied for covert C2 communication)
- T1574.002 - Kernel Modules (Primary method of rootkit functionality)
- **Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Implied for C2 communication)
## Functionality
### Core Capabilities
- **Multi-Stage Architecture:** Consists of a dropper ("cron"), two memory-resident executables ("/memfd:tgt" and "/memfd:wpn"), the LKM rootkit ("puma.ko"), and a userland shared object (SO) rootkit named Kitsune ("lib64/libs.so").
- **Kernel Hooking:** Uses the Linux function tracer (`ftrace`) to hook into approximately 18 different system calls.
- **Core System Modification:** Hooks crucial kernel functions like `prepare_creds` and `commit_creds` to alter core system behaviors, likely for privilege management.
- **Stealth Mechanisms:** Employs advanced methods to hide its presence from detection tools.
### Advanced Features
- **Privilege Escalation via `rmdir()`:** Uses unique methods interacting with the `rmdir()` syscall specifically for privilege escalation.
- **Conditional Activation:** The LKM rootkit only activates if specific conditions are met, such as successful verification that secure boot checks are absent or that necessary kernel symbols are available.
- **Embedded Components:** All necessary files, including ELF binaries, are embedded within the dropper component.
- **Memory-Resident Components:** Utilizes memory-resident executables (`/memfd:tgt` and `/memfd:wpn`) for execution without touching the disk extensively after initial drop.
## Indicators of Compromise
- File Hashes:
- SHA256: `30b26707d5fb407ef39ebee37ded7edeea2890fb5ec1ebfa09a3b3edfc80db1f` (One identified artifact hash)
- SHA256: `71cc6a6547b5afda1844792ace7d5437d7e8d6db1ba995e1b2fb760699693f24` (Another identified artifact hash)
- File Names:
- `puma.ko` (LKM rootkit component)
- `lib64/libs.so` (Kitsune userland SO rootkit component)
- Registry Keys: [Not applicable for Linux LKM, though kernel structures are modified]
- Network Indicators: C2 servers/domains are not explicitly listed but communication is implied. (Defanged: N/A - No indicators provided)
- Behavioral Indicators: Manipulation of kernel system calls via `ftrace`, interaction with `rmdir()` for privilege changes, presence of memory-resident ELF files utilizing `/memfd:` paths.
## Associated Threat Actors
- [No specific threat actor was explicitly named in the provided text.]
## Detection Methods
- Signature-based detection: Based on known hashes of the components.
- Behavioral detection: Monitoring for unusual use of the `ftrace` mechanism, unauthorized hooking of kernel functions like `prepare_creds` and `commit_creds`, and suspicious calls to `rmdir()` potentially leading to privilege changes.
- YARA rules: [Not explicitly available in the text.]
## Mitigation Strategies
- Prevention measures: Ensuring systems are fully patched against known kernel vulnerabilities that could allow unauthorized LKM loading.
- Hardening recommendations: Implementing kernel integrity monitoring tools, restricting the ability to load unsigned kernel modules (e.g., using Secure Boot properly configured), and employing Mandatory Access Control (MAC) frameworks (like SELinux/AppArmor) to limit unauthorized program behavior.
## Related Tools/Techniques
- Kernel Modules (LKM) Rootkits
- Userland Shared Object (SO) Rootkits (Kitsune component)
- Use of `ftrace` for kernel hooking.