The multi-stage rootkit targets Linux systems, using advanced stealth techniques to escalate privileges and avoid detection. Credit: isarisphotography | shutterstock.com A new loadable kernel module (LKM) rootkit has been spotted in the wild compromising Linux systems with advanced stealth and privilege escalation features. PUMAKIT, as called by the Elastic Security researchers who discovered it during routine threat hunting on VirusTotal, was deployed as part of a multi-stage malware architecture that consists of a dropper, two memory-resident executables, an LKM rootkit module, and a shared object (SO) userland rootkit. “The rootkit component, referenced by the malware authors as ‘PUMA,’ employs an internal Linux function tracer (ftrace) to hook 18 different syscalls and several kernel functions, enabling it to manipulate core system behaviors,” researchers said. Rootkits are malicious programs or collections of tools specialized for establishing persistence within compromised systems and are often used by advanced persistent threat (APT) groups to target critical organizations. Elastic Security researchers could trace the deployment back to September 4, 2024, when the associated suspicious binary (cron) was uploaded. Multi-staged deployment PUMAKIT, named after its PUMA kernel module and Kitsune userland rootkit, uses a multi-stage infection process starting with a tampered “cron” binary as its dropper. This disguises the malware as a legitimate system process, enabling it to blend into the system. The dropper creates two in-memory executables: /memfd:tgt, a harmless cron binary, and /memfd:wpn, a rootkit loader. The loader evaluates the environment, executes additional payloads, and prepares the system for rootkit deployment. A temporary script, script.sh, is executed from /tmp to finalize the deployment of the PUMA kernel rootkit module. The rootkit embeds Kitsune SO to facilitate userland interactions, ensuring a seamless and stealthy infection process. The kernel module’s main features include elevating privileges, hiding files and directories, evading detection by system tools, implementing anti-debugging techniques, and enabling communication with command-and-control (C2) servers, the researchers added. Advanced evasion capabilities The rootkit activates based on certain conditions, verifying kernel symbols, secure boot status, and other necessary factors before loading itself. It targets Linux kernels prior to version 5.7, as newer versions no longer support the function kallsyms_lookup_name(), which the rootkit relies on. Using this function, the Puma rootkit manipulates system behavior. Using “unconventional” methods, it hooks into 18 syscalls and several kernel functions through ftrace, allowing it to escalate privileges, execute commands, and conceal processes, researchers added. The rootkit also modifies credentials with prepare_creds and commit_creds, granting root access to specific processes. In coordination with the userland rootkit Kitsune, Puma extends its control by hiding files, processes, and network connections. Kitsune intercepts system calls like ls, ps, and top to prevent detection and manages communication with the command-and-control server, transmitting system data and receiving commands. Elastic Security has developed a YARA signature to detect PUMAKIT, including the dropper (cron), rootkit loader (/memfd:wpn), LKM rootkit, and Kitsune shared object files. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe