Linux malware sedexp uses udev rules for persistence and evasion
August 26, 2024
Researchers spotted a new stealthy Linux malware named sedexp that uses Linux udev rules to achieve persistence and evade detection.
Aon’s Cyber Solutions spotted a new malware family, called sedexp, that relies on a lesser-known Linux persistence technique. The malware has been active since at least 2022 but remained largely undetected for years. The experts pointed out that the persistence method employed by this malware is currently undocumented by MITRE ATT&CK.
The technique allows the malware to maintain persistence on infected systems and hide credit card skimmer codes.
Sedexp uses udev rules to maintain persistence. Udev is a system component that manages device events on Linux systems, allowing it to identify devices based on their properties and configure rules to trigger actions when devices are plugged in or removed. This innovative use of udev rules makes sedexp stand out as a persistence mechanism.
“During a recent investigation, Stroz Friedberg discovered malware using udev rules to maintain persistence. This technique allows the malware to execute every time a specific device event occurs, making it stealthy and difficult to detect.” reads the report published by AON. “This rule ensures that the malware is run whenever /dev/random is loaded. /dev/random is a special file that serves as a random number generator, used by various system processes and applications to obtain entropy for cryptographic operations, secure communications, and other functions requiring randomness. It is loaded by the operating system on every reboot, meaning this rule would effectively ensure that the sedexp script is run upon system reboot.”
The sedexp malware has two notable features:
- Reverse Shell Capability: It allows the attacker to maintain control over the compromised system remotely.
- Memory Modification for Stealth: The malware modifies memory to hide files containing the string “sedexp” from commands like
ls
orfind
, effectively concealing webshells, modified Apache configuration files, and the udev rule itself.
The researchers believe that threat actor behind the malware sedexp is financially motivated.
“The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware. Leveraging rarely utilized persistence techniques like udev rules highlights the need for thorough and advanced forensic analysis.” concludes the report. “Organizations should continuously update their detection capabilities, implement comprehensive security measures to mitigate such threats, and ensure a capable DFIR firm is engaged to complete a forensic review of any possibly compromised servers.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganin
(SecurityAffairs – hacking, malware )