Cybersecurity researchers have identified a new, stealthy Linux malware named sedexp that employs unconventional techniques to achieve persistence and conceal credit card skimmer code on infected systems. The malware has been linked to a financially motivated threat actor and has been active since 2022. This discovery comes from Aon's Stroz Friedberg incident response services team, highlighting the sophisticated methods cybercriminals are using to evade detection.
"This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics," noted researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto. The findings underscore the constant evolution of malicious actors' strategies, who continually innovate to outsmart detection mechanisms.
What sets sedexp apart is its use of udev rules for persistence. Udev, a device manager for the Linux kernel that replaces the Device File System, enables the system to detect hardware changes and automatically apply predefined rules. These rules can identify devices based on their attributes and perform specific actions, such as running a program when a device is plugged in or removed.
Each line in a udev rules file contains at least one key-value pair, making it possible to trigger actions based on device events. For example, a rule might automatically back up data when an external drive is connected. According to SUSE Linux documentation, "A matching rule may specify the name of the device node, add symbolic links pointing to the node, or run a specified program as part of the event handling."
In the case of sedexp, the udev rule -- ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+" -- is configured to execute the malware whenever /dev/random (a device corresponding to minor number 8) is accessed. This access typically occurs during every system reboot, allowing the malware to persist by running the program specified in the RUN parameter each time the system restarts.
Sedexp's capabilities are not limited to persistence. It also includes functionalities to launch a reverse shell, providing remote access to the compromised host. Additionally, the malware can alter memory to conceal any files containing the string "sedexp" from being detected by commands such as ls or find.
In real-world scenarios investigated by Stroz Friedberg, these concealment capabilities were used to hide web shells, altered Apache configuration files, and even the udev rule itself. The primary objective appears to be financial gain, as the malware was employed to hide credit card scraping code on a web server.
"The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware," the researchers commented. This advanced threat highlights the need for organizations to adopt more comprehensive security measures to protect against increasingly sophisticated cyber threats targeting critical systems and sensitive financial data.
Reference: www.thehackernews.com
