New Linux Singularity Rootkit using Sophisticated Technique to Evade Elastic EDR Detection

A sophisticated Linux kernel rootkit designed to slip past the defenses of Elastic Security, a leading endpoint detection and response (EDR) platform.

Released on GitHub by researcher 0xMatheuZ, the rootkit employs advanced obfuscation techniques to evade YARA-based detection and behavioral monitoring.

While presented strictly for educational purposes, Singularity underscores the evolving challenges in kernel-level threat detection, potentially informing both attackers and defenders in the cybersecurity arms race.

Elastic Security, integrated with Elastic Defend, typically triggers over two dozen alerts during rootkit scans, including file quarantines and process terminations.

Singularity counters this by fragmenting its code, randomizing identifiers, and staging payloads in memory, achieving full evasion during testing.

Core capabilities include hiding processes from /proc, concealing files and directories with patterns like “singularity” or “matheuz,” masking TCP connections on port 8081, and enabling privilege escalation via custom signals or environment variables.

It also features an ICMP-based backdoor for reverse shells triggered by specific packet sequences, alongside anti-analysis measures that block tracing and sanitize logs.

Singularity Linux Rootkit Evades Elastic EDR

At the heart of Singularity’s success lies a multi-layered approach to static analysis evasion. Traditional rootkits falter on predictable strings and symbols that YARA rules target, such as “kallsyms_lookup_name” paired with “license=GPL” or hooks like “hook_getdents.”

Singularity tool

The rootkit’s Python-based obfuscator fragments these at compile-time, splitting strings into adjacent literals that the C compiler reassembles—e.g., transforming MODULE_LICENSE(“GPL”) into MODULE_LICENSE(“G” “P” “L”).

This ensures functionality while rendering the binary’s strings non-contiguous for scanners, as verified by tools like strings and objdump showing no direct matches.

Symbol name randomization takes it further, replacing suspicious prefixes (“hook_,” “fake_”) with innocuous, kernel-mimicking names like “sys_abjker_handler” or “kern_wopqls_helper.”

A whitelist protects essential kernel APIs, and regex patterns extract functions for consistent renaming, sorted by length to avoid partial substitutions, MatheuZ said.

Ftrace hooking functions, another common giveaway, receive similar treatment, renaming “fh_install_hook” to evade rules detecting two or more such patterns. These techniques collectively dismantle the 57 function-name signatures in Elastic’s generic rootkit rules.

Beyond static tricks, Singularity fragments its compiled .ko file into 64KB XOR-encoded chunks using a random 16-byte key, stored alongside metadata for reconstruction.

A custom loader, compiled statically, reassembles these in memory via memfd_create, an anonymous file descriptor that avoids disk artifacts.

It employs direct syscalls (both 64-bit and legacy 32-bit via int $0x80) to invoke finit_module, sidestepping hooked libc functions. This memory-only loading resists on-disk scanning, with fragments deletable post-execution.

Behavioral detection proves trickier, especially for the ICMP-triggered reverse shell. Elastic flags patterns like setsid with /dev/tcp/ in command lines or shell executions from kernel workers.

Singularity counters by writing a staged bash script to /singularity, hiding the spawning kworker PID immediately, then executing a clean /bin/bash /singularity.

The script opens a TCP descriptor, spawns sh in the background, and uses kill -59 on precise PIDs for targeted hiding and escalation, bypassing command-line scrutiny without affecting legitimate processes.

Evades security Detection

Bonus evasions include compiling loaders in /tmp instead of monitored /dev/shm and automating the obfuscation pipeline for reproducibility. In tests, Singularity loaded undetected, hid processes, and established root shells, proving its mettle against current Elastic rules.

This work highlights the fragility of signature-based defenses against adaptive threats. As EDRs evolve, such research pushes for holistic detection blending machine learning and anomaly analysis. For defenders, it signals the need for deeper kernel integrity checks; for researchers, it’s a blueprint for resilience.

Source