A powerful new evasion tool called RingReaper has emerged, demonstrating a major shift in how attackers hide from security software on Linux systems. This sophisticated technique successfully bypasses modern Endpoint Detection and Response (EDR) systems by exploiting a high-performance kernel feature called io_uring.
The Evasion Technique
RingReaper completely sidesteps the primary method EDRs use for detection: monitoring system calls (syscalls).
Instead of using traditional syscalls like read, write, and connect, the tool performs all its malicious operations (such as network communication and file access) through io_uring‘s asynchronous Input/Output (I/O) operations. This approach is designed for speed but, in this case, allows the attacker to:
- Generate minimal auditable events.
- Operate below the radar of EDR solutions that are only listening for standard syscalls.
Why It Matters
This is considered a paradigm shift in Linux malware. The technique effectively makes RingReaper “Fully Undetectable” (FUD) by current EDRs, allowing attackers to perform sophisticated actions like privilege escalation and data exfiltration without being seen.
Key Takeaways
The Threat: RingReaper is a new Linux tool capable of fully evading EDRs.
The Method: It exploits the io_uring kernel feature to perform operations without using traditional syscalls.
The Gap: Current EDRs only monitor traditional syscalls, leaving a blind spot for io_uring activity.
The Defense: Security monitoring must be updated to track operations within the io_uring kernel feature.
Mourad Maacha 
Leave a comment