SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image

Elastic identifies stealthy malware toolkit named PUMAKIT

Wed, 18th Dec 2024

Elastic Security Labs has identified a new malware known as PUMAKIT, described as an advanced malware analysis toolkit.

PUMAKIT is classified as a sophisticated loadable kernel module (LKM) rootkit and is known to use advanced stealth mechanisms. These allow the malware to remain undetected while maintaining communication with command-and-control servers. As part of its design, PUMAKIT features a multi-stage architecture, incorporating components such as a dropper, two memory-resident executables, an LKM rootkit module, and a shared object (SO) userland rootkit. "Declawing PUMAKIT: Elastic's newly launched PUMAKIT analysis toolkit provides researchers with powerful tools to identify, investigate, and defend against emerging threats like GOSAR. With PUMAKIT, security teams gain critical insights into malware behaviors and effective defense strategies, ensuring they remain ahead of attackers," said an official statement.

The discovery of PUMAKIT occurred during a routine threat hunt on VirusTotal when a binary named cron was first uploaded. This binary, along with another artifact, showed 0 detections at the time of upload, raising questions about their stealth characteristics. The embedded strings suggested potential manipulation tactics targeting the vmlinuz kernel package in the boot directory.

PUMAKIT, named after its LKM rootkit component and an SO userland rootkit named Kitsune, starts with a dropper that initiates a process using the cron binary. This process includes two memory-resident executables: one acts as a legitimate Cron binary, while the other serves as a rootkit loader. This loader evaluates system conditions and deploys the LKM rootkit, which interacts with userspace through an embedded SO file.

The kernel module's key functions include privilege escalation, file and self-concealment, communication establishment with C2 servers, and anti-debugging measures. A distinct method employed by this rootkit is its use of syscall hooking, including the unique use of the rmdir() syscall for privilege escalation and concealment purposes.

The rootkit leverages an internal Linux function tracer (ftrace) to hook into syscalls, enabling it to alter core system behaviours. Execution is designed to occur only under certain conditions, such as secure boot checks or kernel symbol availability, ensuring its activation goes unnoticed. Its structure allows it to remain largely undetected by conventional detection systems.

Upon further investigation, PUMAKIT's rootkit loader was found to hide itself by mimicking the /usr/sbin/sshd executable, loading the rootkit only if specific prerequisites are met. A notable technique involves inspecting and processing files based on their compression formats to locate kernel symbols for the rootkit deployment.

In response to this discovery, Elastic Security Labs has formulated several detection and prevention strategies. These include using Elastic and YARA signatures, as well as specific EQL/KQL rules, to identify aspects of the PUMAKIT attack chain. For example, an uncommon event recorded in the syslog indicating a process start with an executable stack is being monitored, capturing suspicious parent-child process interactions and unusual file descriptor executions.

Auditing configurations and queries are set to detect kernel module loading through the Auditd Manager, and various behavioural detection rules have been considered to recognise anomalies in rootkit privilege escalation methods and directory manipulation tactics.

PUMAKIT exemplifies the complex landscape of evolving cyber threats, prompting a need for continuous vigilance and adaptive security measures. "PUMAKIT is a complex and stealthy threat that uses advanced techniques like syscall hooking, memory-resident execution, and unique privilege escalation methods. Its multi-architectural design highlights the growing sophistication of malware targeting Linux systems," concluded the press release from Elastic Security Labs. The impetus is on adapting detection methods to stay ahead in the cyber defence landscape.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X