Threat actors have been leveraging the new Pumakit rootkit malware to facilitate covert privilege escalation intrusions against Linux systems, according to BleepingComputer.
Attacks with Pumakit commence with the deployment of the cron dropper, which executes the '/memfd:tgt' and '/memfd:wpn' payloads, with the former eventually launching the 'puma.ko' LKM rootkit module that loads only after ensuring secure boot status and performing kernel symbol scanning, a report from Elastic Security showed. More than a dozen syscalls and kernel functions are then leveraged by Puma to escalate privilege, execute commands, and obscure malicious activity. "The LKM rootkit's ability to manipulate system behavior begins with its use of the syscall table and its reliance on kallsyms_lookup_name() for symbol resolution. Unlike modern rootkits targeting kernel versions 5.7 and above, the rootkit does not use kprobes, indicating it is designed for older kernels," said Elastic researchers Remco Sprooten and Ruben Groenewoud.