Matheus Alves (Matheus Alves), a security researcher specializing in malware, has published an update to the project Singularity, which develops an open-source rootkit for the Linux kernel, distributed under the MIT license. The goal of the project is to demonstrate methods that allow you to hide your presence after gaining root access and maintain the ability to covertly perform privileged operations. It is expected that Singularity may be useful to security researchers for testing and developing utilities for detecting and blocking rootkits.
The rootkit is designed as a module for Linux 6.x kernels and uses the ftrace mechanism to silently intercept system calls without changing system call entry points or modifying kernel functions. Singularity supports hiding its presence in the system, as well as hiding attacker-specified processes and associated files and network activity. For the convenience of researchers, the functionality of the rootkit is divided into modules.
In addition to standard methods of masking presence in the system, such as hiding necessary processes, files, directories, and kernel modules, Singularity implements several advanced methods of bypassing protection mechanisms and making it difficult to detect rootkit scanners, such as Falco, ghostscan, tracee,