{"id":167567,"date":"2024-08-26T06:50:50","date_gmt":"2024-08-26T06:50:50","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=167567"},"modified":"2024-08-26T06:50:52","modified_gmt":"2024-08-26T06:50:52","slug":"linux-malware-sedexp","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/167567\/malware\/linux-malware-sedexp.html","title":{"rendered":"Linux malware sedexp uses udev rules for persistence and evasion"},"content":{"rendered":"
<\/div>\n

Researchers spotted a new stealthy Linux malware named sedexp that uses Linux udev rules to achieve persistence and evade detection.<\/h2>\n\n\n\n

Aon\u2019s Cyber Solutions spotted a new malware family, called sedexp, that relies on a lesser-known Linux persistence technique. The malware has been active since at least 2022 but remained largely undetected for years. The experts pointed out that the persistence method employed by this malware is currently undocumented by MITRE ATT&CK. <\/p>\n\n\n\n

The technique allows the malware to maintain persistence on infected systems and hide credit card skimmer codes.<\/p>\n\n\n\n

Sedexp uses udev<\/em> rules to maintain persistence. Udev<\/em> is a system component that manages device events on Linux systems, allowing it to identify devices based on their properties and configure rules to trigger actions when devices are plugged in or removed. This innovative use of udev<\/em> rules makes sedexp stand out as a persistence mechanism.<\/p>\n\n\n\n

“During a recent investigation, Stroz Friedberg discovered malware using udev rules to maintain persistence. This technique allows the malware to execute every time a specific device event occurs, making it stealthy and difficult to detect.” reads the report<\/strong><\/a> published by AON. “This rule ensures that the malware is run whenever\u00a0\/dev\/random<\/em>\u00a0is loaded.\u00a0\/dev\/random<\/em>\u00a0is a special file that serves as a random number generator, used by various system processes and applications to obtain entropy for cryptographic operations, secure communications, and other functions requiring randomness. It is loaded by the operating system on every reboot, meaning this rule would effectively ensure that the sedexp script is run upon system reboot.”<\/p>\n\n\n\n

The sedexp<\/em> malware has two notable features:<\/gwmw><\/p>\n\n\n\n

    \n
  1. Reverse Shell Capability:<\/strong> It allows the attacker to maintain control over the compromised system remotely.<\/li>\n\n\n\n
  2. Memory Modification for Stealth:<\/strong> The malware modifies memory to hide files containing the string “sedexp” from commands like ls<\/code> or find<\/code>, effectively concealing webshells, modified Apache configuration files, and the udev<\/em> rule itself.<\/gwmw><\/li>\n<\/ol>\n\n\n\n

    The researchers believe that threat actor behind the malware sedexp is financially motivated.<\/p>\n\n\n\n