PUMA Rootkit Deployment

Initial Deployment

The dropper creates two in-memory executables: /memfd:tgt, a harmless cron binary, and /memfd:wpn, a rootkit loader. The loader evaluates the environment, executes additional payloads, and prepares the system for rootkit deployment.

Script Execution

A temporary script, script.sh, is executed from /tmp to finalize the deployment of the PUMA kernel rootkit module. The rootkit embeds Kitsune SO to facilitate userland interactions, ensuring a seamless and stealthy infection process.

Kernel Module Features

The kernel module’s main features include:

• Elevating privileges
• Hiding files and directories
• Evasions detection by system tools
• Implementing anti-debugging techniques
• Enabling communication with command-and-control (C2) servers

Conclusion

The PUMA rootkit deployment process involves the creation of in-memory executables, script execution, and the deployment of a kernel rootkit module. The module’s features enable it to evade detection and establish communication with command-and-control servers, making it a sophisticated and stealthy rootkit.

FAQs

Q: What is the purpose of the dropper in the PUMA rootkit deployment?

A: The dropper creates in-memory executables to prepare the system for rootkit deployment.

Q: What is the role of Kitsune SO in the PUMA rootkit?

A: Kitsune SO facilitates userland interactions and ensures a seamless and stealthy infection process.

Q: What are the main features of the PUMA kernel rootkit module?

A: The module’s main features include elevating privileges, hiding files and directories, evading detection by system tools, implementing anti-debugging techniques, and enabling communication with command-and-control (C2) servers.