The dropper creates two in-memory executables: /memfd:tgt, a innocent cron binary, and /memfd:wpn, a rootkit loader. The loader evaluates the atmosphere, executes further payloads, and prepares the system for rootkit deployment.
A brief script, script.sh, is executed from /tmp to finalize the deployment of the PUMA kernel rootkit module. The rootkit embeds Kitsune SO to facilitate userland interactions, guaranteeing a seamless and stealthy an infection course of.
The kernel module’s most important options embrace elevating privileges, hiding recordsdata and directories, evading detection by system instruments, implementing anti-debugging strategies, and enabling communication with command-and-control (C2) servers, the researchers added.