Cybersecurity researchers have identified a new and highly sophisticated Linux rootkit named PUMAKIT, which boasts capabilities such as privilege escalation, file and directory hiding, and self-concealment from system tools, all while remaining undetected.
According to Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud, "PUMAKIT is a loadable kernel module (LKM) rootkit that leverages advanced stealth mechanisms to remain hidden and maintain communication with its command-and-control servers." The findings were shared in a technical report published Thursday.
The rootkit was discovered during an analysis of artifacts uploaded to the VirusTotal malware scanning platform in September 2024.
Multi-Stage Malware Architecture
PUMAKIT's internal structure features a multi-stage design, including:
- A dropper component named "cron"
- Two memory-resident executables ("/memfd:tgt" and "/memfd:wpn")
- An LKM rootkit ("puma.ko")
- A shared object (SO) userland rootkit called Kitsune ("lib64/libs.so")
The rootkit utilizes the internal Linux function tracer (ftrace) to hook into 18 system calls and key kernel functions like "prepare_creds" and "commit_creds", altering the core system's behavior to achieve its objectives.
Unique Techniques and Stealth Capabilities
PUMAKIT employs unconventional methods to execute its operations. For example, it uses the rmdir() syscall for privilege escalation and specific commands to extract configuration and runtime data.
Its staged deployment process ensures activation only under predefined conditions, such as passing secure boot checks or verifying kernel symbol availability. These checks are performed by scanning the Linux kernel, with all necessary files embedded as ELF binaries within the dropper.
- "/memfd:tgt": A default Ubuntu Linux Cron binary with no modifications.
- "/memfd:wpn": A loader that deploys the rootkit when conditions are met.
- LKM Rootkit: Contains an embedded SO file that facilitates interaction with the rootkit from userspace.
Elastic Security Lab emphasized that each phase of the malware’s infection chain is designed to maintain stealth, leveraging memory-resident files and bypassing detection until the rootkit is fully deployed.
No Attribution Yet
At this time, PUMAKIT has not been linked to any known threat actor or group.
“PUMAKIT represents a complex and stealthy Linux threat, showcasing advanced techniques such as syscall hooking, memory-resident execution, and unique privilege escalation mechanisms. Its multi-architectural design underscores the increasing sophistication of malware targeting Linux environments,” the researchers concluded.