The dropper creates two executables in memory: /memfd:tgt, a harmless cron binary, and /memfd:wpn, a rootkit loader. The loader checks the environment, performs additional payloads, and prepares the system for rootkit use.
A temporary script, script.sh, is run from /tmp to complete the deployment of the PUMA kernel rootkit module. The rootkit embeds Kitsune SO to facilitate userland interaction, ensuring a seamless and stealthy infection process.
The main features of the kernel module include elevation privileges, hiding files and directories, avoiding detection by program tools, implementing anti-debugging techniques, and enabling communication with command and control (C2) servers, the researchers added.
Source link