Stroz Friedberg, a risk management firm under Aon, has identified a sophisticated malware strain targeting Linux systems. Dubbed “sedexp,” the malware exploits udev rules to maintain persistence and evade detection.
According to researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto, “This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics.”
Discovery and Background
The stealthy malware leverages a little-known Linux persistence technique involving udev rules. Despite being in operation for at least a couple of years, it has remained undetected, with multiple instances found in online sandboxes showing zero detections. The persistence method used by sedexp has yet to be documented by MITRE ATT&CK, making it a unique threat in the cybersecurity landscape.
The Role of udev Rules in Persistence
Udev is a device management system in the Linux kernel responsible for managing device nodes in the /dev directory. It dynamically creates and removes device node files, handles hotplug events, and loads drivers as needed. The system uses Udev rules and configuration files to match devices and execute actions in response to events like adding or removing devices.
Sedexp takes advantage of these udev rules to maintain persistence on compromised systems. By hiding its rules using memory manipulation techniques, the malware ensures it runs every time a specific device event happens, making it difficult to detect.
Malware Capabilities: Stealth and Control
Sedexp’s capabilities go beyond persistence. The malware features a reverse shell, allowing attackers to maintain control over compromised systems. Additionally, it modifies memory to hide any files containing the string “sedexp,” making them invisible to standard commands. This capability was used to conceal web shells, modified Apache configuration files, and even the udev rule itself.
Threat Intelligence Insights
The analysis indicates that sedexp is being deployed by a financially motivated threat actor. So far, the malware has been used for credit card scraping, hiding malicious code on web servers to steal financial information. Despite its widespread presence, sedexp has managed to avoid detection, highlighting its stealthy nature and the need for advanced forensic analysis.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
