One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8624715 |
| Date de publication | 2024-12-13 18:00:57 (vue: 2024-12-13 19:08:34) |
| Titre | Declawing PUMAKIT |
| Texte | ## Snapshot Researchers at Elastic Security Labs released a report detailing PUMAKIT, an advanced malware featuring a multi-stage architecture to evade detection and maintain control over infected systems. ## Description It begins with a dropper (cron) that initiates the malware execution chain, creating two memory-resident executables that operate entirely in memory, avoiding traces on disk. These executables work together to deploy a kernel-level rootkit (LKM) and a userland rootkit (SO), enabling the malware to manipulate system behaviors stealthily. The rootkit component, known as "PUMA," employs ftrace to hook 18 system calls and kernel functions, allowing it to hide files, processes, and itself while facilitating privilege escalation and communication with command-and-control (C2) servers. Notably, it leverages unconventional methods, such as using the rmdir() syscall, for privileged operations and system interaction. Its functionality also includes anti-debugging measures and precise checks on system conditions, like secure boot status and kernel symbol availability, before activation. PUMAKIT\'s fileless execution is achieved using the memfd\_create syscall, allowing binaries to exist only in memory. It uses advanced techniques, such as the execveat() syscall, to execute payloads directly from memory, further complicating detection and forensic analysis. The loader mimics legitimate processes, such as sshd, to blend into the system and executes shell scripts only when predefined criteria are met. The LKM rootkit uses the syscall table and the now-unexported kallsyms\_lookup\_name() function for symbol resolution, targeting older Linux kernel versions. Its capabilities include privilege escalation, file and process hiding, and syscall manipulation to achieve stealth and persistence. According to Elastic Security Labs, PUMAKIT demonstrates a sophisticated approach to malware design, employing a highly modular and conditional activation strategy to avoid detection. ## Microsoft Analysis and Additional OSINT Context Fileless malware, also called memory-based malware, presents a significant challenge for security teams due to its ability to evade traditional detection methods. Unlike conventional malware, fileless malware doesn\'t rely on files stored on a hard drive, making it difficult for signature-based antivirus, sandboxing, and machine learning-based analysis to detect. This type of malware often operates within trusted, legitimate programs like PowerShell or Windows scripting tools, leveraging them to carry out malicious activities without leaving a trace on the disk. By exploiting the trust placed in these whitelisted applications, fileless malware can move laterally across networks, avoid suspicion, and remain undetected for extended periods. This stealthy behavior makes it particularly insidious and effective, allowing attackers to maintain persistence and execute their objectives while bypassing most security defenses. Read [Now you see me: Exposing fileless malware](https://www.microsoft.com/en-us/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/) and [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://www.microsoft.com/en-us/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) on Microsoft\'s Security Blog to learn more about how Microsoft\'s security solutions can be used to combat threats from fileless malware. ## Recommendations [Windows Defender AV](https://www.microsoft.com/en-us/windows/windows-defender?ocid=cx-blog-mmpc) blocks the vast majority of malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Windows Defender AV protects against fileless malware through these capabilities: - Detecting script-based techniques by leveraging [AMSI](https://blogs.technet.microsoft.com/mmpc/2015 |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** ability about accessed according achieve achieved across activation activities additional advanced against all allowing also amsi analysis anomalous anti antivirus any application applications approach architecture are attackers av/ availability avoid avoiding based before begins behavior behavioral behaviors binaries blend blocks blog boot both but bypassing called calls can capabilities capabilities: capability carry chain challenge checks cloud co/security com/en com/mmpc/2015/06/09/windows combat command communication complicating component components conditional conditions content context control conventional copyright create creating criteria cron debugging declawing defeating defender defenses defenses/ demonstrates deploy description design detailing detect detecting detection detections detections/hunting detects developers difficult directly disk distribution dll doesn drive dropper due effective elastic employing employs enabling encyclopedia enhanced entirely escalation evade even executables execute executes execution execveat exist exploiting exposing extended facilitating featuring file fileless files following forensic from ftrace function functionality functions further gen generic hard heuristic hide hiding highly hook how https://blogs https://www include includes infected initiates injection insidious inspect interaction invisible invisible: its itself kallsyms kernel known labs labs/declawing laterally layers learn learning leaving legitimate level leverages leveraging like linux lkm loader local lookup machine maintain majority makes making malicious malware malware/ malware: manipulate manipulation me: measures memfd memory met methods microsoft mimics mmpc models modular monitoring more most move multi multiple name name=trojan:linux/multiverze networks new next not notably now obfuscation objectives observed ocid=cx offer often older only operate operates operations osint other out over part particularly payloads periodically periods permission persistence placed powershell precise predefined presents privilege privileged process processes programs prohibited protects provides puma pumakit queries read recommendations references reflective released rely remain remediating report repository reproduction researchers reserved resident resolution rights rmdir rootkit sandboxing scanning script scripting scripts secure security see servers shell sight signature significant site snapshot solutions sophisticated sshd stage status stealth stealthily stealthy stored strategy such suspicion symbol syscall system systems table targeting teams technet techniques them thereof these threat threats through together tools trace traces traditional trojan:linux/multiverze trust trusted two type types unconventional undetected unexported unlike us/security/blog/2018/01/24/now us/security/blog/2018/09/27/out us/wdsi/threats/malware us/windows/windows used userland uses using vast versions well when whenever which whitelisted windows within without wmi work written |
| Tags | Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.