Cybersecurity researchers have discovered a new stealth piece of Linux malware that uses an unconventional method to keep infected systems safe and hide credit card skimmer code.
The malware, which is attributed to a financially motivated threat, has been codenamed sedexp by the Aon Stroz Friedberg incident response team.
“This sophisticated threat, active since 2022, hides in plain sight, providing attackers with recoil capabilities and advanced stealth tactics,” researchers Zachary Reichert, Danielle Stein, and Joshua Pivirotta said.
Not surprisingly, attackers are constantly improvising and improving their craft, and have turned to new methods to avoid detection.
Noteworthy about sedexp is its use of udev rules to maintain persistence. Udev, Device File System Replacement, suggestions a mechanism for identifying devices based on their properties and configuring rules for responding to device state changes, i.e. when connecting or removing a device.
Each line in the udev rules file has at least one key-value pair, which allows you to match devices by name and trigger certain actions when various events are detected on the device (for example, trigger an automatic backup when an external drive is connected).
“A match rule can specify a device node name, add symbolic links pointing to a node, or run a specified program as part of event processing”, SUSE Linux notes in its documentation. “If no matching rule is found, the default device node name is used to create the device node.”
The udev rule for sedexp — ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” — is set to run the malware whenever /dev/random (corresponds to apparatus minor number 8) is loaded, which usually happens on every reboot.
In other words, the program specified in the RUN parameter is executed every time the system is rebooted.
The malware has the ability to run a reverse shell to facilitate remote access to the compromised host, as well as modify memory to hide any file containing the string “sedexp” from commands such as ls or find.
Stroz Friedberg said that in the cases she investigated, this capability was used to hide web shells, modified Apache configuration files, and the udev rule itself.
“The malware was used to hide a credit card scan code on a web server, indicating an emphasis on financial gain,” the researchers said. “Sedexp Discovery Shows Evolving Financially Motivated Threat Actors Beyond Ransomware.”
