Latest Linux Malware ‘sedexp’ Conceals Credit Card Skimmers Using Udev Regulations
Cybersecurity experts have uncovered a novel discreet fragment of Linux malware that utilizes an atypical method to ensure continuity on infected systems and camouflage credit card skimmer code.
The malware, linked to an economically driven threat actor, has been given the nickname sedexp by Aon’s Stroz Friedberg incident response services team.
“This advanced threat, operational since 2022, conceals itself openly while granting hackers reverse shell capacities and sophisticated hiding tactics,” mentioned researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto stated.
It is not unexpected that malevolent actors are continuously innovating and perfecting their craft, resorting to fresh strategies to evade detection.
What sets sedexp apart is its utilization of udev regulations to sustain continuity. Udev, an alternative for the Device File System, provides a system to pinpoint devices based on their attributes and set up rules to react when there is a change in the device status, for instance, a device is connected or disconnected.
Every line in the udev rules document consists of at least one key-value duo, enabling the matching of devices by name and triggering particular actions when diverse device occurrences are identified (for instance, triggering an automatic backup when an external drive is linked).
“A matching regulation may specify the identity of the device node, introduce symbolic links pointing to the node, or execute a specified application as part of event handling,” SUSE Linux highlights in its documentation. “If no appropriate regulation is found, the default device node name is used to create the device node.”
The udev regulation for sedexp — ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” — has been arranged in such a way that the malware is initiated whenever /dev/random (corresponding to device minor number 8) is loaded, which typically happens during each system restart.
In simple terms, the program specified in the RUN parameter is executed each time after a system reboot.
The malware is equipped with functionalities to launch a reverse shell to facilitate distant access to the infiltrated host, as well as alter memory to hide any file containing the term “sedexp” from commands like ls or find.
Stroz Friedberg noted that in the cases they examined, this capability has been deployed to mask web shells, tampered Apache configuration files, and the udev rule itself.
“The malware was employed to conceal credit card scraping code on a web server, indicating a concentration on financial gain,” the researchers stated. “The discovery of sedexp depicts the advancing sophistication of financially driven threat actors beyond ransomware.”
About Author
