Singularity - Stealthy Linux Kernel Rootkit
"Shall we give forensics a little work?"
Singularity is a powerful Linux Kernel Module (LKM) rootkit designed for modern 6.x kernels. It provides comprehensive stealth capabilities through advanced system call hooking via ftrace infrastructure.
Full Research Article (outdated version): Singularity: A Final Boss Linux Kernel Rootkit
EDR Evasion Case Study: Bypassing Elastic EDR with Singularity
What is Singularity?
Singularity is a sophisticated rootkit that operates at the kernel level, providing:
Process Hiding : Make any process completely invisible to the system
: Make any process completely invisible to the system File & Directory Hiding : Conceal files using pattern matching
: Conceal files using pattern matching Network Stealth : Hide TCP/UDP connections, ports, and conntrack entries
... continue reading