The organization has unveiled a functional rootkit dubbed “Curing” that utilizes io_uring, a capability integrated into the Linux kernel, to covertly execute harmful actions without being detected by numerous detection systems available in the market today.
At the core of the dilemma is the significant dependence on observing system calls, which has emerged as the primary approach for several cybersecurity firms. The catch? Intruders can entirely bypass these monitored calls by utilizing io_uring instead. This ingenious tactic could enable malicious actors to silently establish network connections or manipulate files without triggering typical alerts.
Here’s the source code.
Be aware of the self-promotional aspect of this disclosure: ARMO, the firm that published the research and code, possesses a product that it asserts can block this type of attack.