ARMO releases rootkit to offer better detection options.
An evasion technique that allows malicious actors to go undetected by avoiding system calls has been detailed.
According to research by ARMO, there is a heavy dependence on monitoring of traditional system calls as a primary detection mechanism, and while this approach is effective for many threats, it fails to account for techniques that bypass these system calls entirely.
“By leveraging this gap, attackers can perform malicious operations without triggering the typical signals security products rely on,” the company said, pointing out that this method is relevant for many Linux agent-based detection solutions.
ARMIO said that by only looking for system calls, there is no visibility into certain low-level operations performed via io_uring. “By exploiting this gap, attackers can execute various actions, including making network connections or accessing and changing files, without detection by traditional security solutions provided by major open source projects and commercial security companies.”
ARMO is releasing a rootkit which includes the stealthy attack method that leverages io_uring, a Linux asynchronous I/O framework, to perform malicious activities in a way that bypasses traditional detection mechanisms.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
