Cybersecurity researchers have uncovered a brand new stealthy piece of Linux malware that leverages an unconventional method to realize persistence on contaminated programs and conceal bank card skimmer code.
The malware, attributed to a financially motivated menace actor, has been codenamed sedexp by Aon’s Stroz Friedberg incident response companies group.
“This superior menace, energetic since 2022, hides in plain sight whereas offering attackers with reverse shell capabilities and superior concealment ways,” researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto stated.
It isn’t shocking that malicious actors are continually improvising and refining their tradecraft, and have turned to novel strategies to evade detection.
What makes sedexp noteworthy is its use of udev guidelines to take care of persistence. Udev, a alternative for the System File System, presents a mechanism to determine gadgets primarily based on their properties and configure guidelines to reply when there’s a change within the gadget state, i.e., a tool is plugged in or eliminated.
Every line within the udev guidelines file has a minimum of as soon as key-value pair, making it attainable to match gadgets by title and set off sure actions when varied gadget occasions are detected (e.g., set off an automated backup when an exterior drive is connected).
“An identical rule might specify the title of the gadget node, add symbolic hyperlinks pointing to the node, or run a specified program as a part of the occasion dealing with,” SUSE Linux notes in its documentation. “If no matching rule is discovered, the default gadget node title is used to create the gadget node.”
The udev rule for sedexp — ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” — is ready up such that the malware is run at any time when /dev/random (corresponds to gadget minor quantity 8) is loaded, which usually happens upon each reboot.
Put otherwise, this system specified within the RUN parameter is executed each time after a system restart.
The malware comes with capabilities to launch a reverse shell to facilitate distant entry to the compromised host, in addition to modify reminiscence to hide any file containing the string “sedexp” from instructions like ls or discover.
Stroz Friedberg stated within the cases it investigated, the potential has been put to make use of to cover net shells, altered Apache configuration recordsdata, and the udev rule itself. It is presently not identified how the malware is distributed.
“The malware was used to cover bank card scraping code on an internet server, indicating a give attention to monetary achieve,” the researchers stated. “The invention of sedexp demonstrates the evolving sophistication of financially motivated menace actors past ransomware.”