SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Malware
#
Advanced Persistent Threat Protection
#
Cybersecurity

Elastic identifies stealthy malware toolkit named PUMAKIT

Today
Author image
By Imee Dequito, Editor

Elastic Security Labs has identified a new malware known as PUMAKIT, described as an advanced malware analysis toolkit.

PUMAKIT is classified as a sophisticated loadable kernel module (LKM) rootkit and is known to use advanced stealth mechanisms. These allow the malware to remain undetected while maintaining communication with command-and-control servers. As part of its design, PUMAKIT features a multi-stage architecture, incorporating components such as a dropper, two memory-resident executables, an LKM rootkit module, and a shared object (SO) userland rootkit. "Declawing PUMAKIT: Elastic's newly launched PUMAKIT analysis toolkit provides researchers with powerful tools to identify, investigate, and defend against emerging threats like GOSAR. With PUMAKIT, security teams gain critical insights into malware behaviors and effective defense strategies, ensuring they remain ahead of attackers," said an official statement.

The discovery of PUMAKIT occurred during a routine threat hunt on VirusTotal when a binary named cron was first uploaded. This binary, along with another artifact, showed 0 detections at the time of upload, raising questions about their stealth characteristics. The embedded strings suggested potential manipulation tactics targeting the vmlinuz kernel package in the boot directory.

PUMAKIT, named after its LKM rootkit component and an SO userland rootkit named Kitsune, starts with a dropper that initiates a process using the cron binary. This process includes two memory-resident executables: one acts as a legitimate Cron binary, while the other serves as a rootkit loader. This loader evaluates system conditions and deploys the LKM rootkit, which interacts with userspace through an embedded SO file.

The kernel module's key functions include privilege escalation, file and self-concealment, communication establishment with C2 servers, and anti-debugging measures. A distinct method employed by this rootkit is its use of syscall hooking, including the unique use of the rmdir() syscall for privilege escalation and concealment purposes.

The rootkit leverages an internal Linux function tracer (ftrace) to hook into syscalls, enabling it to alter core system behaviours. Execution is designed to occur only under certain conditions, such as secure boot checks or kernel symbol availability, ensuring its activation goes unnoticed. Its structure allows it to remain largely undetected by conventional detection systems.

Upon further investigation, PUMAKIT's rootkit loader was found to hide itself by mimicking the /usr/sbin/sshd executable, loading the rootkit only if specific prerequisites are met. A notable technique involves inspecting and processing files based on their compression formats to locate kernel symbols for the rootkit deployment.

In response to this discovery, Elastic Security Labs has formulated several detection and prevention strategies. These include using Elastic and YARA signatures, as well as specific EQL/KQL rules, to identify aspects of the PUMAKIT attack chain. For example, an uncommon event recorded in the syslog indicating a process start with an executable stack is being monitored, capturing suspicious parent-child process interactions and unusual file descriptor executions.

Auditing configurations and queries are set to detect kernel module loading through the Auditd Manager, and various behavioural detection rules have been considered to recognise anomalies in rootkit privilege escalation methods and directory manipulation tactics.

PUMAKIT exemplifies the complex landscape of evolving cyber threats, prompting a need for continuous vigilance and adaptive security measures. "PUMAKIT is a complex and stealthy threat that uses advanced techniques like syscall hooking, memory-resident execution, and unique privilege escalation methods. Its multi-architectural design highlights the growing sophistication of malware targeting Linux systems," concluded the press release from Elastic Security Labs. The impetus is on adapting detection methods to stay ahead in the cyber defence landscape.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
AppOmni highlights evolving SaaS cyber threats for 2025
Ransomware report reveals evolving threat landscape in 2024
CrowdStrike survey reveals shift to GenAI in cybersecurity
Spearphishing identified as leading threat to utilities
Elastic Security's top three cybersecurity predictions for 2025
Top stories
Safety tech sector sees $6.3 billion investment rise
Cohesity completes merger with Veritas, becomes largest data protection software provider
GitGuardian unveils strategy to protect non-human identities
Elastic Security Labs reveals new GOSAR backdoor threat
Exclusive: Orro's Manuel Salazar discusses shaping cyber security careers