Pumakit Linux Rootkit Malware - 15 December 2024

338/2024

High

December 15, 2024

4:01 pm

The Pumakit Linux rootkit is a recently identified stealthy malware targeting Linux systems. It is structured as a Loadable Kernel Module (LKM), enabling it to function at the kernel level and granting it extensive access to the operating system.

The Pumakit Linux rootkit is a recently discovered malware that employs advanced stealth techniques to avoid detection. It targets Linux systems, particularly older kernels (pre-5.7). Initially flagged by a suspicious binary submitted to VirusTotal, it alters system behavior through the kallsyms_lookup_name() function.

The rootkit has a multi-stage architecture that includes a dropper (cron), two memory-resident executables (/memfd:tgt and /memfd:wpn), a Loadable Kernel Module (LKM) rootkit, and a userland rootkit (Kitsune). It enables privilege escalation, process hiding, and persistent backdoor access while using ftrace to hook into 18 system calls and kernel functions like “prepare_creds” and “commit_creds” to manipulate core system behaviors and accomplish its goals.

The Tactics and Techniques of Pumakit Linux Rootkit Malware:

o Initial Access and Execution:

The malware uses the cron binary as a dropper to gain initial access and executes hidden ELF binaries without leaving traces on disk, potentially masquerading as legitimate processes.

o Persistence:

The malware persists as a Loadable Kernel Module (LKM). By embedding itself into the Linux kernel, it can reload itself after reboots while remaining undetected.

o Privilege Escalation:

The malware uses a technique called hooking to intercept 18 system calls (like rmdir()) and various kernel functions using a tool called ftrace. This lets it gain higher privileges, run commands, and even hide processes from the system.
The kernel functions ‘prepare_creds’ and ‘commit_creds’ are abused to modify process credentials, granting root privileges to specific processes.

o Defense Evasion:

The malware hooks kernel functions and system calls, intercepting key processes related to file and directory operations, logs, and network activity to hide the rootkit’s files, processes, and network connections from detection.
The Kitsune rootkit (a user-space component) alters the behavior of common system commands (like ls, ps, netstat, top, htop, and cat) to conceal malicious activity and dynamically hide files or directories based on attacker-defined criteria, making detection extremely difficult for system admins.

o Command and Control (C2):

Kitsune SO (shared object) also handles all communications with the command and control (C2) server, relaying commands to the LKM rootkit and transmitting configuration and system info to the operators.
Utilizes stealthy memory-resident executables to maintain a communication channel. Specific details on its C2 protocols are still under analysis, but early reports suggest minimalistic, encrypted data exchange.

o Impact:

Enables unauthorized access, allowing attackers to control infected systems, and facilitates the exfiltration of sensitive data such as credentials and personal information.
Alters or hides processes, making detection difficult and compromising system integrity, while potentially opening systems to further attacks or additional malware, escalating overall security risks.

Mitigations

Regularly update the Linux Kernel and packages to patch vulnerabilities that the rootkit might exploit, and monitor for unusual system behavior such as unexpected processes, hidden files, suspicious network activity, and syscall
hooking.
Enable security features like CONFIG_STRICT_DEVMEM, KASLR, and kernel lockdown to limit rootkit access to kernel memory and prevent unauthorized kernel modifications.
Use kernel lockdown features (CONFIG_SECURITY_LOCKDOWN), available in modern Linux kernels, to prevent unauthorized access to low-level kernel functionalities.
Use rootkit detection tools and YARA rules to scan for suspicious activities and specific patterns related to the rootkit.
Enable Secure Boot to ensure the system only boots trusted software, reducing the chance of kernel-level malware persistence.
Apply the principle of least privilege by limiting user access and maintaining regular, secure backups to ensure recovery from infections.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Pumakit Linux Rootkit Malware – 15 December 2024

Mitigations

References