Declawing PUMAKIT
Dec. 16, 2024, 2:03 p.m.
Tags
External References
Description
PUMAKIT is a sophisticated multi-stage Linux malware consisting of a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit. It employs advanced stealth techniques to hide its presence and maintain C2 communication. The rootkit hooks 18 syscalls and kernel functions using ftrace to manipulate system behavior, including hiding files, privilege escalation, and anti-debugging. It uses unconventional methods like the rmdir syscall for interaction. The malware checks for specific conditions before activating and embeds all components within the dropper. Key capabilities include privilege escalation, file/directory hiding, anti-debugging, and C2 communication.
Date
Published: Dec. 16, 2024, 12:44 p.m.
Created: Dec. 16, 2024, 12:44 p.m.
Modified: Dec. 16, 2024, 2:03 p.m.
Indicators
Linux_Trojan_Pumakit
cb070cc9223445113c3217f05ef85a930f626d3feaaea54d8585aaed3c2b3cfe
bc9193c2a8ee47801f5f44beae51ab37a652fda02cd32d01f8e88bb793172491
bbf0fd636195d51fb5f21596d406b92f9e3d05cd85f7cd663221d7d3da8af804
8ef63f9333104ab293eef5f34701669322f1c07c0e44973d688be39c94986e27
8ad422f5f3d0409747ab1ac6a0919b1fa8d83c3da43564a685ae4044d0a0ea03
71cc6a6547b5afda1844792ace7d5437d7e8d6db1ba995e1b2fb760699693f24
1aab475fb8ad4a7f94a7aa2b17c769d6ae04b977d984c4e842a61fb12ea99f58
30b26707d5fb407ef39ebee37ded7edeea2890fb5ec1ebfa09a3b3edfc80db1f
89.23.113.204
sec.opsecurity1.art
rhel.opsecurity1.art
Attack Patterns
PUMAKIT
Kitsune
T1574.006
T1548.001
T1078.001
T1014
T1497
T1036.005
T1070.004
T1562.001
T1055
T1140
T1027