Full Report
Cybersecurity researchers have demonstrated a proof-of-concept (PoC) rootkit dubbed Curing that leverages a Linux asynchronous I/O mechanism called io_uring to bypass traditional system call monitoring. This causes a "major blind spot in Linux runtime security tools," ARMO said. "This mechanism allows a user application to perform various actions without using system calls," the company said in
Analysis Summary
# Tool/Technique: Curing (io_uring PoC Rootkit) Based on io_uring Exploitation
## Overview
Curing is a proof-of-concept (PoC) rootkit that leverages the Linux asynchronous I/O mechanism, `io_uring`, to perform malicious actions, including communication with a Command and Control (C2) server, **without invoking traditional system calls**. This bypasses security tools that primarily rely on system call monitoring for detection, creating a significant blind spot in Linux runtime security.
## Technical Details
- Type: Malware/PoC Rootkit
- Platform: Linux
- Capabilities: Asynchronous execution of commands via `io_uring`, C2 communication, evasion of system call monitoring tools.
- First Seen: April 2025 (Based on report date)
## MITRE ATT&CK Mapping
The primary mechanism described relates to evading detection mechanisms (Defense Evasion) by avoiding standard monitoring paths.
- **TA0005 - Defense Evasion**
- **T1053 - System Time Manipulation** (Potential overlap if C2 timings are involved, though not the core mechanism)
- **T1219 - Remote Access Software** (If used for persistent access via C2)
- **T1070.001 - Indicator Removal: File Deletion** (Plausible secondary activity for a rootkit)
- *Note: A direct mapping for bypassing SCM via io\_uring does not precisely exist in common public matrices, but the result is evasion of Visibility/Monitoring techniques.*
## Functionality
### Core Capabilities
- **System Call Evasion:** Executes complex operations (like C2 communication and command execution) entirely through the `io_uring` framework, circumventing the need for traditional system calls that security tools hook.
- **Asynchronous Operation:** Utilizes the Submission Queue (SQ) and Completion Queue (CQ) established by `io_uring` to manage I/O requests asynchronously between user space and the kernel.
- **C2 Communication:** Facilitates communication with an external C2 server to fetch and execute remote commands.
### Advanced Features
- **Leveraging Kernel Interface:** Exploits the functionality of `io_uring` (introduced in kernel 5.1) which is designed to improve I/O performance by reducing the overhead associated with system calls.
- **Targeted Blind Spot:** Specifically designed to render security tools that rely primarily on system call hooking (like Falco and Tetragon in their older configurations) ineffective against its operations.
## Indicators of Compromise
*Note: As this is a PoC described in an article, specific IOCs are not provided explicitly other than the concept of C2 communication.*
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not applicable to Linux kernel exploitation mechanism, though persistence mechanisms would utilize standard Linux artifacts]
- Network Indicators: [Defanged] Malicious C2 traffic originating from or directed toward the host via non-standard system call paths. Traffic patterns associated with asynchronous I/O initiation.
- Behavioral Indicators: Unusually high usage of `io_uring` interfaces for command execution or network operations without corresponding standard syscalls for the same activity.
## Associated Threat Actors
- ARMO (Security researchers who developed and reported the PoC)
- Unknown threat actors who might weaponize this technique (Note: Google previously warned about the strong exploitation primitives provided by `io_uring` in June 2023).
## Detection Methods
- **Signature-based detection:** Limited against this technique, as traditional syscall signatures will be missed.
- **Behavioral detection:** Detection must focus on monitoring the *use* of the `io_uring` interface itself, rather than standard syscalls performed after the initial setup.
- **YARA rules:** [Not provided in the context]
## Mitigation Strategies
- **Kernel Monitoring Enhancement:** Update existing runtime security tools (like Falco and Tetragon) to specifically monitor and analyze `io_uring` events, ensuring visibility into operations performed via SQ/CQ buffers.
- **Kernel Hardening:** Restrict the use of the `io_uring` interface where not strictly necessary, similar to actions taken by Google on certain deployments.
- **Contextual Analysis:** Implement security solutions capable of in-depth contextual analysis, validating that operations initiated through high-performance interfaces like `io_uring` align with expected process behavior.
## Related Tools/Techniques
- **io\_uring:** The underlying Linux kernel asynchronous I/O framework.
- **Falco:** System call monitoring tool found to be blind to this specific technique initially.
- **Tetragon:** System call monitoring tool found to be blind to this specific technique initially.
- **CrowdStrike Falcon agent:** Failed to file system operations performed using `io_uring` but has since reportedly rolled out a fix.
- **Microsoft Defender for Endpoint on Linux:** Reported to currently lack capability to detect threats using this mechanism.