A brand new software named RingReaper is elevating eyebrows amongst defenders and crimson teamers alike.
By leveraging the respectable, high-performance Linux kernel function often called io_uring, RingReaper demonstrates how superior attackers can sidestep even trendy Endpoint Detection and Response (EDR) techniques.
The Rise of io_uring in Offensive Safety
Launched in Linux kernel 5.1, io_uring was designed to supply high-throughput, asynchronous I/O operations.
As an alternative of the normal mannequin—the place every file or community operation triggers a separate, simply monitored syscall—io_uring allows a course of to submit a number of I/O requests to a shared queue.
The kernel processes these requests as assets permit, returning outcomes by means of a separate completion queue. This design eliminates the repetitive, blocking syscalls that the majority EDRs are constructed to watch.
Key benefits of io_uring for attackers:
- A number of operations (open, learn, write, ship, join) are dealt with in batches.
- Fewer particular person syscalls are seen to EDRs.
- Asynchronous operations scale back the “noise” usually generated by malware.
RingReaper is a backdoor agent that, whereas not persistent but, is designed for stealth and suppleness.
It connects to an attacker-controlled server (C2), accepting instructions and performing a variety of post-exploitation duties—all whereas evading conventional monitoring.
Core options embody:
- Community communication through io_uring_prep_send and io_uring_prep_recv
- File operations utilizing io_uring_prep_openat and io_uring_prep_read
- File add/obtain with out specific learn/write syscalls
- Distant command execution: itemizing customers, processes, and connections
- Self-deletion utilizing io_uring_prep_unlinkat
The agent’s C2 server, written in Python, permits operators to interactively ship instructions and obtain responses, together with file transfers.
How EDRs Are Bypassed
Conventional Linux EDR instruments monitor syscalls like open, join, learn, and write—typically utilizing hooks or eBPF probes.
RingReaper sidesteps these by funneling all I/O by means of io_uring, which batches operations and exposes solely minimal syscall exercise (primarily io_uring_enter).
This drastically reduces the variety of occasions seen to EDRs, making detection a lot more durable.
Why this works:
- Most EDRs don’t but deeply monitor io_uring-related syscalls.
- Malicious visitors may be disguised as respectable, particularly over commonplace ports like 443.
Whereas RingReaper at the moment enjoys a excessive diploma of stealth, defenders are usually not powerless.
In principle, EDRs may hook io_uring_enter or use eBPF to hint io_uring operations, however few business merchandise achieve this at the moment.
As superior attackers undertake these methods, defenders should adapt—by updating detection logic and gaining familiarity with io_uring’s internals.
Unique Webinar Alert: Harnessing Intel® Processor Improvements for Superior API Safety – Register for Free
