Matheus Alves, a security researcher specializing in malware, has published an update to the Singularity project, which develops an open-source kernel rootkit. Linux, distributed under the MIT license. The project's goal is to demonstrate methods for concealing one's presence after gaining root access and maintaining the ability to perform privileged operations covertly. It is hoped that Singularity could be useful to security researchers for testing and developing rootkit detection and blocking tools.
The rootkit is designed as a module for kernels Linux 6.x and uses the ftrace mechanism to surreptitiously intercept system calls without changing system call entry points or modifying kernel functions. Singularity supports concealing its presence in the system, as well as hiding attacker-specified processes, associated files, and network activity. For the convenience of researchers, the rootkit's functionality is divided into modules.
In addition to typical methods of concealing its presence in the system, such as hiding necessary processes, files, directories, and kernel modules, Singularity implements several advanced methods to bypass protection mechanisms and hinder detection by specialized rootkit scanners, such as Falco, ghostscan, tracee, unhide, chkrootkit, and rkhunter. Among other things, Singularity can hide its activity from tools that use eBPF, remove eBPF locks, prevent kernel modules from loading, resist I/O analysis via the io_uring subsystem, and bypass integrity checks performed by the LKRG module (Linux Kernel Runtime Guard).
Singularity includes a reverse shell, which provides privileged remote access to the system by sending ICMP packets, as well as handlers that allow process hiding or privilege escalation through specific manipulations of signals and environment variables. For example, to hide a process from /proc and the output of utilities such as ps, you can execute "kill -59 PID_process", and to escalate privileges, set the environment variable "MAGIC=mtz".
The rootkit hides reverse shell traffic from network analyzers and allows bypassing SE handlers.Linux, triggered by ICMP. Singularity also includes capabilities for hiding certain network connections from the /proc/net/nf_conntrack tables, the SOCK_DIAG/NETFILTER netlink handlers, and utilities like netstat, ss, lsof, tcpdump, and wireshark. Handlers for cleaning audit messages and logging are available (klogctl, syslog, systemd-journal, /sys/kernel/debug/tracing/, dmesg). There are filters to counter memory analyzers such as Volatility, which use /proc/kcore, /proc/kallsyms, and /proc/vmallocinfo, as well as the ability to filter direct access to block devices to prevent low-level file system analysis.
Source: opennet.ru
