Malware

PUMAKIT isn’t your everyday piece of malware—it’s a cunning Linux rootkit that stays hidden in plain sight. Through a mix of memory-only binaries, loadable kernel modules, and clever syscall hooking, it achieves deep system infiltration without leaving obvious footprints behind. Unlike traditional rootkits, PUMAKIT twists even the simplest commands to its advantage, using tactics like hooking the rmdir() syscall for privilege escalation. It’s also not shy about communicating with remote command-and-control servers, ensuring it remains well-managed and flexible over time. ...

In my work, I’m always looking for ways to scale malware analysis, and Elastic’s recent advancements really stand out. At Elastic Security Labs, we’ve been working on dynamic malware analysis at a large scale using our Detonate framework. The process involves running malware in sandboxed environments and analyzing behavior to extract meaningful insights. In our latest research, we explored techniques like enrichment pipelines, fingerprinting, and automation to handle massive datasets, filtering out noise and identifying malicious activity with precision. ...

NAPLISTENER: More Bad Dreams from the Developers of SIESTAGRAPH In recent research, we observed a shift in tactics from the threat group behind SIESTAGRAPH, focusing more on establishing persistent access rather than data theft. A new malware variant called NAPLISTENER, an HTTP listener written in C#, is designed to evade network-based detection. NAPLISTENER acts similarly to legitimate services, blending into the background by processing web requests and running commands in memory. ...

SUDDENICON Supply Chain Attack In recent research, Elastic Security Labs analyzed the SUDDENICON malware, which targeted users of the 3CX VOIP software in a sophisticated supply-chain attack. The attack involved malicious DLLs embedded within the 3CXDesktopApp, which laid dormant for several days before initiating communication with command-and-control servers to download additional payloads. This attack highlights the growing trend of targeting software supply chains to compromise otherwise legitimate applications. For details on how Elastic detected and mitigated this attack, and to see the technical breakdown, check out the full post on the ESL blog: ...

REF2924: How to Maintain Persistence as an Advanced Threat In a recent update, we explored how the threat group behind SIESTAGRAPH, NAPLISTENER, and SOMNIRECORD maintains persistence in victim environments. Their toolkit includes custom malware, such as .NET webshells, and open-source tools like TFirewall and AdFind. These tools enable the attackers to blend into legitimate processes, establish footholds, and escalate privileges using scheduled tasks, DLL injections, and stealthy HTTP listeners. For a more detailed breakdown of these persistence techniques and insights into how the group evades detection, check out the full post on the ESL blog: ...