Hackers often abuse Linux malware since Linux systems are widely used in critical servers and infrastructure for their operation.
By exploiting vulnerabilities in Linux threat actors can gain complete control over these systems and execute several malicious activities by deploying malicious software and creating botnets.
AON’s Stroz Friedberg recently discovered a stealthy Linux malware, ‘Sedexp,’ having zero-detections since 2022.
Stealthy Linux Malware
Sedexp uses udev rules in Linux for persistence, and to avoid detection, it manipulates memory and hides these rules using more advanced methods than before.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
It is the device management system of the Linux OS kernel that dynamically manages the device nodes within /dev directory, responds to hotplug events, and loads the drivers necessary.
These files are stored in /etc/udev/rules.d/ or /lib/udev/rules.d/. They match devices and take action when something happens, such as the addition or removal of a device.
Several conditions and respective actions make up each rule, which follows a syntax like:-
- ACTION==”add”
- KERNEL==”sdb1″
- RUN+=”/path/to/script”
If any device called sdb1 is added, then execute the script. While the traditional techniques can be avoided in this way, as Sedexp confuses these rules which helps in maintaining a persistent presence on the system.
The malware makes use of udev rules to maintain its presence on the system, with a main focus on running /dev/random (major=1, minor=8) after the computer is restarted.
The udev rule “ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+”” triggers the malware named “sedexp”.
Besides this, the key features include:-
- A reverse shell capability
- Memory modification to hide files containing “sedexp” from ls and find commands
The malware disguises itself as “kdevtmpfs” using prctl(PR_SET_NAME, “kdevtmpfs”, 0, 0, 0) to correspond with legitimate processes.
While by copying itself to /lib/udev/ and creating an udev rule in /etc/udev/rules.d/ it achieves persistence.
Here to connect back to the attacker the reverse shell functionality uses socket programming (AF_INET, SOCK_STREAM), as this redirects the STDIN, STDOUT, and STDERR to the socket before executing /bin/sh.
The malware’s code includes the following things:-
- memory allocation (calloc)
- argument handling (strdup, memset)
- file operations (readlink, fopen, fprintf)
- system calls (system, execl)
Not only that even it also uses network programming (socket, connect, htons, inet_addr) for the reverse shell.
This sophisticated approach makes the malware more stealthier and persistent, which makes it more difficult to detect.
The sedexp malware was employed by an actor-driven by financial motives who used udev rules to maintain persistence in Linux systems. It has been active since 2022 and it covers credit card scraping code on web servers, Stroz Friedberg said.
Several malware instances were found through OSINT analysis that showed no detection records in online sandboxes, consequently highlighting stealthiness.
In order to effectively mitigate such advanced threats, organizations should have a comprehensive approach towards their security.
IoC’s
| SHA256 | 43f72f4cdab8ed40b2f913be4a55b17e7fd8a7946a636adb4452f685c1ffea02 |
| SHA256 | 94ef35124a5ce923818d01b2d47b872abd5840c4f4f2178f50f918855e0e5ca2 |
| SHA256 | b981948d51e344972d920722385f2370caf1e4fac0781d508bc1f088f477b648 |
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial