Researchers have found a new malware targeting Linux systems for at least two years without being caught. Identified as “sedexp,” this sneaky malware hides in plain sight, while gaining persistent access to the target Linux device. Linux users, particularly the organizations relying on Linux systems, must scan their devices for potential malware infiltration.
Linux Malware “sedexp” Exploits udev Rules
Researchers from Aon Security discovered a new malware active in the wild since 2022. However, despite running active campaigns for two years, this Linux malware remained undetected, sneakily infecting systems.
Specifically, this malware, identified as “sedexp,” links back to a “financially motivated” threat actor, establishing persistence on the target device. For this, the malware exploits the udev rules on Linux – the configuration rules that udev (device management system for Linux Kernel) uses to “match devices and execute actions” following device additions or removals.
Exploiting this crucial Linux component empowers the sedexp malware to execute each time a device event takes place. In technical words, the malware runs every time the /dev/random file loads, which loads with every system reboot. Hence, the malware remains hidden and runs at every reboot.
Besides persistence, which is a crucial sedexp functionality, it exhibits two more important functions. These include a reverse shell capability to allow complete control of the target system from the attacker and memory modification to hide any file containing the string “sedexp” from commands.
The researchers have shared a detailed technical analysis of this malware in their post.
For now, the exact identity of the threat actors behind this malware remains unclear. Nonetheless, considering the malware’s sneaky behavior, the researchers effectively linked it with credit card scraping activities, where hiding the malware code is crucial for the attackers. Besides, backing the stealthy exhibition of the malware is the fact that the researchers found multiple public instances of sedexp with zero detections on an online sandbox.
The researchers advise users, particularly organizations, to conduct timely and thorough forensic reviews of possibly compromised servers and deploy adequate security measures to prevent such threats.
Let us know your thoughts in the comments.