Declawing PUMAKIT
Essential information
- Published
- 16/12/2024 12:44
- Modified
- 16/12/2024 14:03
- Tags
- 2024-12-16 kitsune privilege-escalation pumakit rootkit syscall hooking
- Related entities
- 12 observables, 11 techniques (mitre), 2 malware
Description
PUMAKIT is a sophisticated multi-stage Linux malware consisting of a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit. It employs advanced stealth techniques to hide its presence and maintain C2 communication. The rootkit hooks 18 syscalls and kernel functions using ftrace to manipulate system behavior, including hiding files, privilege escalation, and anti-debugging. It uses unconventional methods like the rmdir syscall for interaction. The malware checks for specific conditions before activating and embeds all components within the dropper. Key capabilities include privilege escalation, file/directory hiding, anti-debugging, and C2 communication.