New Linux EDR Evasion Tool Using io_uring Kernel Feature

A sophisticated new Linux evasion tool called RingReaper has emerged, leveraging the legitimate io_uring kernel feature to bypass modern Endpoint Detection and Response (EDR) systems. 

This advanced red team tool demonstrates how attackers can exploit high-performance asynchronous I/O operations to conduct stealthy operations while remaining undetected by traditional security monitoring mechanisms.

We recently discussed a security vulnerability in Linux’s io_uring that allows attackers to covertly deploy rootkits. This same vulnerability has been leveraged by a new tool to evade Endpoint Detection and Response (EDR) systems effectively.

Key Takeaways
1. RingReaper exploits the Linux io_uring kernel feature to bypass EDR systems through asynchronous I/O instead of traditional syscalls.
2. Performs network communications and file operations with minimal auditable events, achieving full undetection.
3. Current EDR solutions fail because they monitor standard syscalls rather than io_uring operations.
4. Security teams must implement io_uring-specific monitoring before this technique becomes widespread.

Evasion Technique via io_uring

RingReaper represents a significant evolution in Linux-based evasion techniques by utilizing io_uring, a kernel feature introduced in Linux 5.1 designed for high-performance asynchronous I/O operations. 

Unlike traditional approaches that rely on direct system calls, this tool operates through submission and completion rings, effectively bypassing the syscall-based detection mechanisms that most EDR solutions monitor.

According to MatheuZ Report, the tool’s architecture centers around key functions that demonstrate its evasive capabilities. The send_all function exemplifies this approach:

This function demonstrates how network communications occur through io_uring operations rather than traditional send/recv syscalls, making detection significantly more challenging.

RingReaper incorporates sophisticated post-exploitation capabilities, including file operations, process enumeration, and user discovery. The tool’s cmd_privesc function showcases its ability to identify SUID binaries for privilege escalation:

The tool’s effectiveness stems from EDR systems’ reliance on monitoring traditional syscalls like open, connect, read, and write. 

By utilizing io_uring’s asynchronous batch processing model, RingReaper generates significantly fewer auditable events, making it “Fully Undetectable” (FUD) to current EDR solutions.

Security researchers warn that this technique represents a paradigm shift in Linux malware development. 

The tool’s ability to perform file exfiltration, access sensitive files, and execute commands while remaining undetected highlights critical gaps in current security monitoring approaches.

Defenders must adapt by implementing io_uring-specific monitoring capabilities, potentially through eBPF instrumentation of io_uring_enter syscalls and internal kernel operations. 

As this technique gains popularity among advanced threat actors, security teams should prioritize developing detection mechanisms for io_uring-based evasion techniques before they become mainstream in the Linux malware landscape.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now