Cyber security researchers have discovered a new Linux rootkit called SORRY which comes with capabilities to elevate privileges, hide files and directories, and hide itself from system tools while avoiding detection.
“PUMAKIT is a sophisticated Loaded Kernel Module (LKM) rootkit that uses sophisticated stealth mechanisms to hide its presence and communicate with command-and-control servers,” Elastic Security Lab researchers Remka Spruten and Ruben Groenewood said in a technical report published on Thursday.
Analysis of the company is coming from artifacts uploaded to malware scanning platform VirusTotal earlier this September.
The interior of the malware is based on a multi-stage architecture that includes a dropper component called “cron”, two memory-resident executables (“/memfd:tgt” and “/memfd:wpn”), an LKM rootkit (“puma” .ko” ), as well as a Community Object (SO) rootkit called Kitsune (“lib64/libs.so”).
It also uses the internal Linux feature tracking system (ftrace) to connect to 18 different system calls and various kernel functions like “prepare_creds” and “commit_creds” to change the basic behavior of the system and achieve its goals.
“Unique techniques are used to interact with PUMA, including using the rmdir() system call to elevate privileges and specialized commands to extract configuration and execution information,” the researchers said.
“Thanks to its phased deployment, the LKM rootkit ensures that it only activates when certain conditions are met, such as a secure boot check or the availability of a kernel token. These conditions are checked by scanning the Linux kernel, and all required files are built into the ELF binaries. dropper”.
The executable “/memfd:tgt” is the standard Ubuntu Linux Cron binary without any modifications, whereas “/memfd:wpn” is the bootloader for the rootkit, provided the conditions are met. The LKM rootkit, on the other hand, contains an embedded SO file that is used to interact with the novice from userspace.
Elastic noted that each stage of the infection chain is designed to hide the presence of the malware and take advantage of memory-resident files and special checks before unleashing the rootkit. PUMAKIT has not been attributed to any known threat or group.
“PUMAKIT is a sophisticated and stealthy threat that uses advanced techniques such as system call interception, memory-resident execution, and unique privilege escalation techniques. Its multi-architecture design underscores the growing sophistication of malware targeting Linux systems,” the researchers concluded.
