This advanced red team tool demonstrates how attackers can exploit high-performance asynchronous I/O operations to conduct stealthy operations while remaining undetected by traditional security monitoring mechanisms. A sophisticated new Linux evasion tool called RingReaper has emerged, leveraging the legitimate io_uring kernel feature to bypass modern Endpoint Detection and Response (EDR) systems. The tool’s ability to perform file exfiltration, access sensitive files, and execute commands while remaining undetected highlights critical gaps in current security monitoring approaches. This function demonstrates how network communications occur through io_uring operations rather than traditional send/recv syscalls, making detection significantly more challenging. Unlike traditional approaches that rely on direct system calls, this tool operates through submission and completion rings, effectively bypassing the syscall-based detection mechanisms that most EDR solutions monitor. RingReaper exploits the Linux io_uring kernel feature to bypass EDR systems through asynchronous I/O instead of traditional syscalls. By utilizing io_uring’s asynchronous batch processing model, RingReaper generates significantly fewer auditable events, making it “Fully Undetectable” (FUD) to current EDR solutions. We recently discussed a security vulnerability in Linux’s io_uring that allows attackers to covertly deploy rootkits. This same vulnerability has been leveraged by a new tool to evade Endpoint Detection and Response (EDR) systems effectively. Current EDR solutions fail because they monitor standard syscalls rather than io_uring operations. RingReaper incorporates sophisticated post-exploitation capabilities, including file operations, process enumeration, and user discovery.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Jul 2025 12:30:15 +0000