This rootkit doesn't just hide from detection tools, it blinds them at the kernel level. When security tools try to enable ftrace (the standard syscall tracing method), the rootkit intercepts writes to /proc/sys/kernel/ftrace_enabled, pretends it succeeded, stores a fake "enabled" value in memory, and returns it on reads while never actually enabling tracing, so tools like perf and ftrace think they're working but see nothing.
It blocks all dangerous eBPF program types (kprobes, tracepoints, LSM hooks, iterators) making modern security tools like Falco, bpftrace, Tracee, Cilium are completely blind.
This kernel rootkit also can evade detection on modern EDRs like Trend Micro EDR, Crowdstrike falcon (since blocks eBPF operations), Elastic Security, Sophos, and others.
It hooks every read syscall variant (read, pread64, readv, preadv, preadv2, plus 32-bit versions) to filter /proc/kmsg, /var/log/kern.log, /var/log/syslog, dmesg output, and audit logs, removing any lines containing "taint", "hook", "ftrace", or "kallsyms_lookup_name" before they reach userspace. For process hiding, it doesn't just filter /proc but hooks 20+ syscalls (getdents64, stat, lstat, statx, newfstatat, chdir, readlink, openat, kill, getsid, getpgid, pidfd_open) returning ENOENT/ESRCH for hidden PIDs.
It hooks netlink_unicast to drop audit messages about hidden processes before they reach auditd. It hooks init_module and finit_module so you can't load detection kernel modules, always return -ENOEXEC (Exec format error).
It hides network connections by hooking tcp4_seq_show, tcp6_seq_show, and tpacket_rcv.
And it has other very strong and stealthy hooks, which makes it scary because it doesn't have much of an impact on the system, and it doesn't slow it down like other rootkits.
Once a machine is compromised with singularity rootkit, trusting any observability from that kernel becomes impossible, your security tools are running and reporting "all clear" while being completely deceived.
matheuzsec•2h ago
It blocks all dangerous eBPF program types (kprobes, tracepoints, LSM hooks, iterators) making modern security tools like Falco, bpftrace, Tracee, Cilium are completely blind.
This kernel rootkit also can evade detection on modern EDRs like Trend Micro EDR, Crowdstrike falcon (since blocks eBPF operations), Elastic Security, Sophos, and others.
It hooks every read syscall variant (read, pread64, readv, preadv, preadv2, plus 32-bit versions) to filter /proc/kmsg, /var/log/kern.log, /var/log/syslog, dmesg output, and audit logs, removing any lines containing "taint", "hook", "ftrace", or "kallsyms_lookup_name" before they reach userspace. For process hiding, it doesn't just filter /proc but hooks 20+ syscalls (getdents64, stat, lstat, statx, newfstatat, chdir, readlink, openat, kill, getsid, getpgid, pidfd_open) returning ENOENT/ESRCH for hidden PIDs.
It hooks netlink_unicast to drop audit messages about hidden processes before they reach auditd. It hooks init_module and finit_module so you can't load detection kernel modules, always return -ENOEXEC (Exec format error).
It hides network connections by hooking tcp4_seq_show, tcp6_seq_show, and tpacket_rcv.
And it has other very strong and stealthy hooks, which makes it scary because it doesn't have much of an impact on the system, and it doesn't slow it down like other rootkits.
Once a machine is compromised with singularity rootkit, trusting any observability from that kernel becomes impossible, your security tools are running and reporting "all clear" while being completely deceived.