Cybersecurity researchers have uncovered a new stealthy piece of Linux malware that leverages an unconventional technique to achieve persistence on infected systems and hide credit card skimmer code.
The malware, attributed to a financially motivated threat actor, has been codenamed sedexp by Aon’s Stroz Friedberg incident response services team.
“This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics,” researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto said.
It’s not surprising that malicious actors are constantly improvising and refining their tradecraft, and have turned to novel techniques to evade detection.
What makes sedexp noteworthy is its use of udev rules to maintain persistence. Udev, replacement for the Device File System, offers a mechanism to identify devices based on their properties and configure rules to respond when there is a change in the device state, i.e., a device is plugged in or removed.
Each line in the udev rules file has at least once key-value pair, making it possible to match devices by name and trigger certain actions when various device events are detected (e.g., trigger an automatic backup when an external drive is attached).
“A matching rule may specify the name of the device node, add symbolic links pointing to the node, or run a specified program as part of the event handling,” SUSE Linux notes in its documentation. “If no matching rule is found, the default device node name is used to create the device node.”
The udev rule for sedexp — ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” — is set up such that the malware is run whenever /dev/random (corresponds to device minor number 8) is loaded, which typically occurs upon every reboot.
Put differently, the program specified in the RUN parameter is executed every time after a system restart.
The malware comes with capabilities to launch a reverse shell to facilitate remote access to the compromised host, as well as modify memory to conceal any file containing the string “sedexp” from commands like ls or find.
Stroz Friedberg said in the instances it investigated, the capability has been put to use to hide web shells, altered Apache configuration files, and the udev rule itself.
“The malware was used to hide credit card scraping code on a web server, indicating a focus on financial gain,” the researchers said. “The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware.”