RingReaper, a new sophisticated malware in the wild, targets Linux systems and allows applications to perform operations such as reading, writing, and receiving files. Instead of routing through traditional system calls, RingReaper uses io_uring to dramatically reduce traces that typical endpoint protection tools rely on to spot malicious behavior in a system. By doing this, RingReaper becomes practically invisible. RingReaper is one of the first post-exploitations to use io_uring operations to bypass security.

According to a blog post on the Picus Security Validation Platform by Sıla Özeren Hacıoğlu, "This method allows the malware to efficiently gather user session data without relying on traditional synchronous commands like who or w." Özeren continues, "By doing so, it reduces system call overhead and minimizes the likelihood of detection by security monitoring tools."

Özeren's blog post points to a few methods for detection, which include monitoring abnormal asynchronous reads of /proc using io_uring, flagging processes that enumerate PTS sessions or logged-in users (outside of the normal admin tools), looking for unexpected binaries in user directories, detecting io_uring access to kernel network tables, monitoring unusual processes gathering connection info that don't use standard network tools, and several more.

Of course, the blog post points to the Picus Security Validation Platform as a means to help defend against RingReaper, so do with that information what you will.

Make sure to read through the entire blog post, so you understand the full extent of what RingReaper is and does.