Declawing PUMAKIT

Dec. 16, 2024, 2:03 p.m.

Description

PUMAKIT is a sophisticated multi-stage Linux malware consisting of a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit. It employs advanced stealth techniques to hide its presence and maintain C2 communication. The rootkit hooks 18 syscalls and kernel functions using ftrace to manipulate system behavior, including hiding files, privilege escalation, and anti-debugging. It uses unconventional methods like the rmdir syscall for interaction. The malware checks for specific conditions before activating and embeds all components within the dropper. Key capabilities include privilege escalation, file/directory hiding, anti-debugging, and C2 communication.

External References

https://www.elastic.co/security-labs/declawing-pumakit
https://otx.alienvault.com/pulse/676020a02088bf857745b258
Tags
rootkit
privilege escalation
2024-12-16
pumakit
kitsune
syscall hooking

Date

  • Created: Dec. 16, 2024, 12:44 p.m.
  • Published: Dec. 16, 2024, 12:44 p.m.
  • Modified: Dec. 16, 2024, 2:03 p.m.

Indicators

  • Linux_Trojan_Pumakit
  • cb070cc9223445113c3217f05ef85a930f626d3feaaea54d8585aaed3c2b3cfe
  • bc9193c2a8ee47801f5f44beae51ab37a652fda02cd32d01f8e88bb793172491
  • bbf0fd636195d51fb5f21596d406b92f9e3d05cd85f7cd663221d7d3da8af804
  • 8ef63f9333104ab293eef5f34701669322f1c07c0e44973d688be39c94986e27
  • 8ad422f5f3d0409747ab1ac6a0919b1fa8d83c3da43564a685ae4044d0a0ea03
  • 71cc6a6547b5afda1844792ace7d5437d7e8d6db1ba995e1b2fb760699693f24
  • 1aab475fb8ad4a7f94a7aa2b17c769d6ae04b977d984c4e842a61fb12ea99f58
  • 30b26707d5fb407ef39ebee37ded7edeea2890fb5ec1ebfa09a3b3edfc80db1f
  • 89.23.113.204
  • sec.opsecurity1.art
  • rhel.opsecurity1.art
Download all indicators here!

Attack Patterns

  • PUMAKIT
  • Kitsune