In a notable discovery, cybersecurity experts have unveiled a new Linux rootkit, PUMAKIT, that employs a repertoire of advanced mechanisms to escalate privileges, obscure files and directories, and evade detection from system utilities.
“PUMAKIT represents an intricate loadable kernel module (LKM) rootkit, ingeniously engineered to camouflage its presence and sustain communication with its command-and-control (C2) infrastructure,” explained Elastic Security Lab analysts, Remco Sprooten and Ruben Groenewoud, in a detailed technical disclosure published Thursday.
The company’s forensic evaluation originated from artifacts uploaded to the VirusTotal malware repository in early September.
An Elaborate Multistage Blueprint
The rootkit’s internal framework follows a multilayered design, incorporating a dropper mechanism dubbed “cron,” two memory-resident executables (/memfd:tgt
and /memfd:wpn
), an LKM rootkit (puma.ko
), and a userland shared object (SO) rootkit called Kitsune (lib64/libs.so
).
Utilizing Linux’s native function tracer (ftrace), PUMAKIT latches onto no fewer than 18 distinct system calls alongside core kernel functions such as prepare_creds
and commit_creds
. This orchestration enables the rootkit to subvert fundamental system operations, effectively achieving its malicious objectives.
“Communication with PUMA involves unconventional methodologies, including exploiting the rmdir()
system call for privilege elevation and deploying tailored commands to retrieve configuration details and runtime metrics,” noted the researchers.
Conditional Activation and Embedded Payloads
PUMAKIT’s staged deployment model ensures that activation occurs only under specific conditions—such as secure boot verifications or kernel symbol resolution. The rootkit validates these prerequisites by probing the Linux kernel environment, embedding requisite components as ELF binaries within its dropper payload.
The executable /memfd:tgt
mirrors an unaltered Ubuntu Linux Cron binary, while /memfd:wpn
acts as a loader to initiate the rootkit if conditions are met. The LKM rootkit further incorporates an embedded SO file to facilitate interaction between user space and the kernel-level rootkit.
A Masterpiece of Concealment
Elastic’s findings underscore how every infection phase is meticulously crafted to remain undetectable. Memory-resident components and intricate checks prevent premature execution, reflecting an elevated level of sophistication in its operational design. Notably, PUMAKIT has not yet been linked to any established adversary or threat faction.
“PUMAKIT epitomizes a multifaceted and elusive menace, utilizing techniques such as syscall hooking, in-memory execution, and inventive privilege escalation strategies,” concluded the researchers. “Its multistage, architecture-aware construction signals an escalation in the technical prowess of malware aimed at Linux ecosystems.”