Threat Research

Singularity A final boss linux kernel rootkit

CTI
Singularity A final boss linux kernel rootkit

Singularity is a Loadable Kernel Module (LKM) rootkit for Linux 6.x that implements ftrace-based syscall hooking, multi-layered process/file/network hiding, privilege escalation, module self-hiding, and extensive log sanitization to evade detection. The project supplies dual-architecture (x86_64 and ia32) hooks, tmpfs OPSEC guidance, and anti-forensic scripts; source: https://github.com/MatheuZSecurity/Singularity #Singularity #ftrace

Keypoints

  • Singularity uses ftrace (ftrace_ops with SAVE_REGS, RECURSION, IPMODIFY) for syscall hooking to avoid modifying the syscall table and bypass CR0 WP protections.
  • Process hiding is implemented via a fixed-size hidden PID array plus multiple syscall hooks (getdents64, stat, openat, readlink, chdir, getpgid, getsid, etc.) and special behaviors for kill -59 and kill -0.
  • Filesystem hiding is pattern-based (e.g., “singularity”, “matheuz”, “jira”) and enforced by filtering getdents results, blocking openat/chdir/readlink, and adjusting st_nlink to prevent forensic discrepancy detection.
  • Network stealth hides a hardcoded port (8081) by filtering /proc/net/tcp* seq_file outputs and dropping packets in tpacket_rcv to evade netstat/ss/lsof/tcpdump/wireshark.
  • Privilege escalation via SpawnRoot() (prepare_creds/commit_creds to set all UIDs/GIDs to 0) triggered by signal 59 or by detecting MAGIC=mtz in a bash process environment (hooking getuid).
  • Comprehensive log and debug sanitization: hooks on read() to filter kmsg, syslog/journal, enabled_functions, kallsyms, sched debug, and other interfaces; additionally resets kernel taint flags via resolved tainted_mask and a hidden thread.
  • Module self-hiding manipulates module list, sysfs kobject, and module state (MODULE_STATE_UNFORMED), prevents module loading (init_module/finit_module hooks), and supports persistence and cleanup scripts for anti-forensics.

MITRE Techniques

  • [T1218 ] System Binary Proxy Execution – Uses legitimate kernel mechanisms (ftrace, kprobes) and standard syscalls to intercept and manipulate behavior rather than adding new binaries; “it installs an ftrace_ops with SAVE_REGS, RECURSION, and IPMODIFY, and filters only the target addresses with ftrace_set_filter_ip()”.
  • [T1546 ] Event Triggered Execution – Privilege escalation triggered by a special signal (kill -59) and by an environment variable (MAGIC=mtz) detected during frequent syscall getuid(); “…if (signal == 59) { SpawnRoot(); add_hidden_pid(pid); … }” and “if (strstr(envs, “MAGIC=mtz”)) { rootmagic(); }”.
  • [T1014 ] Rootkit – Kernel-level persistence and stealth by installing an LKM that hides processes/files/networks and hides itself in module lists and sysfs; “module_hide_current() … __remove_from_sysfs(mod); __remove_from_module_list(mod); __sanitize_module_info(mod);”.
  • [T1565 ] Data Manipulation – Log and kernel message sanitization by filtering reads from kmsg, syslog, journal, and debug interfaces to remove lines containing specific keywords; “filter_kmsg_line(…) { … return line_contains_sensitive_info(kernel_buf) ? 0 : bytes_read; }”.
  • [T1573 ] Encrypted Channel / Network Evasion – Network-level hiding by filtering sequence files for /proc/net/tcp* and dropping packets in AF_PACKET receive handler to hide C2 port traffic; “if (sport == PORT || dport == PORT) return 0;” and “if (ntohs(tcph->dest) == PORT || ntohs(tcph->source) == PORT) return NET_RX_DROP;”.
  • [T1547 ] Boot or Logon Autostart Execution – Implements persistence via adding module name to /etc/modules-load.d and copying the .ko to kernel module directories for auto-load at boot; “echo “$MODULE_NAME” > “$CONF_DIR/$MODULE_NAME.conf” … cp “$KO_FILE” “$MODULE_DIR/$MODULE_NAME.ko””.
  • [T1204 ] User Execution via Environment – Elevation by setting an environment variable in a shell that triggers automatic escalation when the shell calls getuid; “MAGIC=mtz bash … The new bash process inherits the environment variable, triggers the hook on its first getuid() call, and instantly becomes root.”

Indicators of Compromise

  • [File/Module Name ] kernel module and repository – singularity.ko (Singularity LKM), GitHub repo https://github.com/MatheuZSecurity/Singularity
  • [Filesystem Patterns ] hidden file/directory name substrings – examples: “singularity”, “matheuz” (also “jira”, “obliviate”, “zer0t”)
  • [Network Port ] hidden C2 port – TCP port 8081 (hardcoded PORT value)
  • [Sysfs/Debug Files ] targeted debug/log interfaces – /sys/kernel/debug/tracing/enabled_functions, /proc/kmsg, kallsyms, /sys/module/, and /sys/kernel/debug/sched/debug
  • [Environment Marker ] escalation environment variable – “MAGIC=mtz” used to trigger privilege escalation in bash
  • [Process Artifact ] hidden control thread name – task/thread name “zer0t” used for taint reset thread and hidden via PID list

Read more: https://blog.kyntra.io/Singularity-A-final-boss-linux-kernel-rootkit

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint