New Stealthy Pumakit Linux Rootkit Malware Spotted in the Wild
Summary:
Elastic Security has discovered a new Linux rootkit called Pumakit. This rootkit uses stealth and sophisticated privilege escalation techniques to maintain persistence on compromised systems. Pumakit is a multi-component set that includes a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit. Elastic Security uncovered Pumakit when investigating a suspicious binary uploaded to VirusTotal on September 4, 2024. Elastic was unable to ascertain who uses this binary or the victimology of this malware. However, in the past, these tools have been used by threat actors who target critical infrastructure and enterprise systems to perform credential harvesting, espionage, and operational disruption.
Pumakit employs a multi-stage infection process starting with a dropper named 'cron,' which executes embedded payloads from memory. The payload, which executes in a child process, performs environment checks and kernel image manipulation and eventually deploys the LKM rootkit module to the kernel. The rootkit runs conditional checks, looking for things like specific kernel symbols before loading. Elastic says Puma utilizes the 'kallsyms_lookup_name()' function to manipulate system behavior. This indicates the rootkit was designed to only target Linux kernels before version 5.7 because that function was deprecated in newer Linux versions. Puma hooks 18 syscalls and multiple kernel functions using 'ftrace,' to gain privilege escalation, command execution, and the ability to hide processes. The rootkit can hide its presence from kernel logs, system tools, and antivirus, as well as hide specific files in a directory and objects from process lists.
Security Officer Comments:
The Pumakit rootkit is a sophisticated malware with a multi-stage architecture that highlights the development skills of advanced threats targeting Linux systems. This malware can be difficult for defenders to detect, as it hooks 18 syscall functions and several kernel functions by using ftrace() to hide files and the rootkit itself. The unconventional hooking methods used in the malware’s attacks to escalate privileges are another reason why this rootkit can be a challenge for organizations. To increase the success of attacks, critical capabilities of this malware include C2 communication, anti-debugging, and persistence via system manipulation. Elastic Security’s research illustrates the importance of proactive cybersecurity practices like routine threat hunting when protecting corporate environments.
Suggested Corrections:
IOCs and a YARA signature are available here.
Fortinet recommends that once a rootkit has been detected, the following process should be followed to remove it:
https://www.bleepingcomputer.com/news/security/new-stealthy-pumakit-linux-rootkit-malware-spotted-in-the-wild/
https://www.elastic.co/security-labs/declawing-pumakit
Elastic Security has discovered a new Linux rootkit called Pumakit. This rootkit uses stealth and sophisticated privilege escalation techniques to maintain persistence on compromised systems. Pumakit is a multi-component set that includes a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit. Elastic Security uncovered Pumakit when investigating a suspicious binary uploaded to VirusTotal on September 4, 2024. Elastic was unable to ascertain who uses this binary or the victimology of this malware. However, in the past, these tools have been used by threat actors who target critical infrastructure and enterprise systems to perform credential harvesting, espionage, and operational disruption.
Pumakit employs a multi-stage infection process starting with a dropper named 'cron,' which executes embedded payloads from memory. The payload, which executes in a child process, performs environment checks and kernel image manipulation and eventually deploys the LKM rootkit module to the kernel. The rootkit runs conditional checks, looking for things like specific kernel symbols before loading. Elastic says Puma utilizes the 'kallsyms_lookup_name()' function to manipulate system behavior. This indicates the rootkit was designed to only target Linux kernels before version 5.7 because that function was deprecated in newer Linux versions. Puma hooks 18 syscalls and multiple kernel functions using 'ftrace,' to gain privilege escalation, command execution, and the ability to hide processes. The rootkit can hide its presence from kernel logs, system tools, and antivirus, as well as hide specific files in a directory and objects from process lists.
Security Officer Comments:
The Pumakit rootkit is a sophisticated malware with a multi-stage architecture that highlights the development skills of advanced threats targeting Linux systems. This malware can be difficult for defenders to detect, as it hooks 18 syscall functions and several kernel functions by using ftrace() to hide files and the rootkit itself. The unconventional hooking methods used in the malware’s attacks to escalate privileges are another reason why this rootkit can be a challenge for organizations. To increase the success of attacks, critical capabilities of this malware include C2 communication, anti-debugging, and persistence via system manipulation. Elastic Security’s research illustrates the importance of proactive cybersecurity practices like routine threat hunting when protecting corporate environments.
Suggested Corrections:
IOCs and a YARA signature are available here.
Fortinet recommends that once a rootkit has been detected, the following process should be followed to remove it:
- Back up vital data: The rootkit’s reaction upon removal is unpredictable, and it may have defensive measures built in that could affect or damage the machine’s performance. Back up any important data and files that need to be retained from the machine.
- Boot up in safe mode: Many rootkits attempt to prevent a user from installing security solutions or removing the malware. In this case, restart the machine in safe mode with networking to limit the rootkit’s access by pressing F8 in the Windows boot screen.
- Use multiple rootkit scan tools: The wide range of rootkit families means that not all rootkit scans will be capable of discovering them. It is therefore important to use a combination of scanners that offer different capabilities.
- Freeze remaining malware: Removing the rootkit alone may not always guarantee that the machine is clean. It may have been infected by other malware that remains active or designed to evade rootkit scans. Other security solutions can freeze any malware that remains on the system, which enables malware removal programs to clean up any malicious software.
- Advanced rootkit removal: Some rootkit types are particularly difficult to remove. For example, a firmware or hardware rootkit is unlikely to be removed by standard rootkit scans, and the user may need to back up and wipe their data from the machine and reinstall the OS. However, in the case of a rootkit targeting the BIOS, even a wipe and a reinstall may not be enough to remove the malicious software. This may require the BIOS drive to be wiped and replaced along with a hard reset of the machine.
https://www.bleepingcomputer.com/news/security/new-stealthy-pumakit-linux-rootkit-malware-spotted-in-the-wild/
https://www.elastic.co/security-labs/declawing-pumakit