Researchers have discovered a new piece of Linux malware, codenamed sedexp, that uses an unusual technique to achieve persistence on infected systems while concealing credit card skimmer code. The malware has been attributed to a financially motivated threat actor and was identified by Aon’s Stroz Friedberg incident response services team. Active since 2022, sedexp employs advanced tactics to remain undetected and provides attackers with reverse shell capabilities, enabling remote access to compromised systems.
What sets sedexp apart is its use of udev rules, a mechanism in Linux that identifies devices based on their properties and responds to changes in the device state, such as when a device is plugged in or removed. The udev rule tied to sedexp triggers the malware to run whenever the system’s /dev/random device is loaded, which occurs on every reboot. This technique ensures that the malware stays persistent across reboots, allowing attackers to execute their malicious code consistently.
The malware also possesses the ability to modify memory, hiding files containing the string “sedexp” from being detected by system commands like ls or find. This concealment allows the threat actors to hide web shells, modified Apache configuration files, and the udev rule itself. The method provides an effective way for the malware to evade detection while facilitating the ongoing operation of the skimmer and maintaining access to the compromised server.
Although the exact distribution method of sedexp is currently unknown, the malware’s main purpose has been linked to hiding credit card scraping code on compromised web servers. This demonstrates the increasing sophistication of financially motivated cybercriminals, as they continue to evolve beyond traditional ransomware attacks in favor of more covert and advanced techniques to achieve financial gain.
Reference:
