Cybersecurity researchers have uncovered a brand new stealthy piece of Linux malware that leverages an unconventional method to attain persistence on contaminated programs and conceal bank card skimmer code.
The malware, attributed to a financially motivated menace actor, has been codenamed sedexp by Aon’s Stroz Friedberg incident response companies staff.
“This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics,” researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto mentioned.
It is not stunning that malicious actors are continually improvising and refining their tradecraft, and have turned to novel strategies to evade detection.
What makes sedexp noteworthy is its use of udev guidelines to keep up persistence. Udev, substitute for the Gadget File System, affords a mechanism to establish units primarily based on their properties and configure guidelines to reply when there’s a change within the machine state, i.e., a tool is plugged in or eliminated.
Every line within the udev guidelines file has at the very least as soon as key-value pair, making it attainable to match units by identify and set off sure actions when varied machine occasions are detected (e.g., set off an computerized backup when an exterior drive is connected).
“A matching rule may specify the name of the device node, add symbolic links pointing to the node, or run a specified program as part of the event handling,” SUSE Linux notes in its documentation. “If no matching rule is found, the default device node name is used to create the device node.”
The udev rule for sedexp — ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” — is about up such that the malware is run every time /dev/random (corresponds to machine minor quantity 8) is loaded, which usually happens upon each reboot.
Put otherwise, this system specified within the RUN parameter is executed each time after a system restart.
The malware comes with capabilities to launch a reverse shell to facilitate distant entry to the compromised host, in addition to modify reminiscence to hide any file containing the string “sedexp” from instructions like ls or discover.
Stroz Friedberg mentioned within the situations it investigated, the aptitude has been put to make use of to cover net shells, altered Apache configuration recordsdata, and the udev rule itself.
“The malware was used to hide credit card scraping code on a web server, indicating a focus on financial gain,” the researchers mentioned. “The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware.”
