The newly discovered Pumakit Linux rootkit uses advanced stealth techniques and privilege escalation to compromise systems while avoiding detection. Identified by Elastic Security from a suspicious binary uploaded to VirusTotal in September 2024, Pumakit is a multi-component malware, including a dropper, a kernel module rootkit, and a shared object (SO) userland rootkit.
Targeting Linux kernels prior to version 5.7, Pumakit exploits the kallsyms_lookup_name() function to hook 18 syscalls and various kernel functions for actions like privilege escalation and process hiding. Its stealth capabilities allow it to evade logs, antivirus tools, and system monitoring utilities while reinitializing hooks to maintain its presence.
The malware’s userland component, Kitsune SO, extends the rootkit's invisibility by intercepting user-level system calls, hiding malicious files, processes, and network connections. Kitsune SO also handles communication with a command-and-control server, enabling remote control and data exfiltration.
By abusing kernel functions like prepare_creds and commit_creds, Pumakit grants root privileges to targeted processes, making it a potent tool for espionage and sabotage. Elastic Security has released a YARA rule to help administrators detect this rootkit.
This malware’s focus on legacy Linux systems highlights the importance of updating kernels to mitigate emerging threats.
Read more...