PUMAKIT is a sophisticated multi-stage Linux malware consisting of a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit. It employs advanced stealth techniques to hide its presence and maintain C2 communication. The rootkit hooks 18 syscalls and kernel functions using ftrace to manipulate system behavior, including hiding files, privilege escalation, and anti-debugging. It uses unconventional methods like the rmdir syscall for interaction. The malware checks for specific conditions before activating and embeds all components within the dropper. Key capabilities include privilege escalation, file/directory hiding, anti-debugging, and C2 communication. Author: AlienVault
Related Tags:
Kitsune
PUMAKIT
T1574.006
privilege escalation
T1078.001
T1548.001
T1036.005
T1070.004
T1562.001
Associated Indicators:
71CC6A6547B5AFDA1844792ACE7D5437D7E8D6DB1BA995E1B2FB760699693F24
30B26707D5FB407EF39EBEE37DED7EDEEA2890FB5EC1EBFA09A3B3EDFC80DB1F
CB070CC9223445113C3217F05EF85A930F626D3FEAAEA54D8585AAED3C2B3CFE
1AAB475FB8AD4A7F94A7AA2B17C769D6AE04B977D984C4E842A61FB12EA99F58
8AD422F5F3D0409747AB1AC6A0919B1FA8D83C3DA43564A685AE4044D0A0EA03
8EF63F9333104AB293EEF5F34701669322F1C07C0E44973D688BE39C94986E27
BBF0FD636195D51FB5F21596D406B92F9E3D05CD85F7CD663221D7D3DA8AF804
E0F3E48C7DD577153E4DD46DD13470715F68A5E6
810F4B422B9C0A6718E9461DE3A2EDDAE7FBE980