Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Sedexp (Backdoor) – Malware

February 13, 2025
Reading Time: 5 mins read
in Malware
Sedexp (Backdoor) – Malware

Sedexp

Type of Malware

Backdoor

Date of Initial Activity

2022

Motivation

Financial Gain

Attack Vectors

Software Vulnerabilities

Targeted Systems

Linux

Overview

In the ever-evolving landscape of cyber threats, a new and particularly stealthy malware has emerged, known as sedexp. First identified by Stroz Friedberg in 2022, sedexp represents a new wave of financially motivated attacks that target Linux systems. This malware stands out not only for its advanced capabilities but also for its innovative use of udev rules, a feature within the Linux operating system typically used for device management, to achieve persistence and evade detection. By manipulating the system’s udev configuration files, sedexp ensures that it remains active on a compromised system, often hiding in plain sight and difficult to detect with traditional security methods. What makes sedexp particularly alarming is its ability to operate under the radar while providing attackers with a robust set of features for maintaining long-term control over infected systems. At its core, sedexp employs a combination of memory manipulation, stealth techniques, and reverse shell capabilities to maintain persistent access to compromised machines. This allows attackers to continue their malicious activities—such as data exfiltration or further system exploitation—without triggering alarms from conventional security tools. Moreover, the malware’s use of udev rules adds an extra layer of sophistication, as it exploits a legitimate system feature to carry out its operations, making it harder for defenders to detect and remove.

Targets

Information Finance and Insurance

How they operate

Persistence Through udev Rules
One of the core features of Sedexp is its ability to achieve persistence through the manipulation of udev rules, a crucial component of Linux’s device management system. Udev is responsible for managing device nodes in the /dev directory and responding to hardware events, such as the addition or removal of devices. Sedexp leverages this system by creating specific udev rules that automatically trigger the execution of the malware whenever certain devices are added or specific conditions are met. For example, the malware may use a rule that triggers execution when a device with a certain major and minor number is added, specifically targeting the /dev/random device. This special file is used for cryptographic random number generation and is loaded by the operating system during each reboot. By creating such a rule, Sedexp ensures that the malware runs every time the system starts up or certain hardware events occur, giving it a strong foothold on the compromised system.
Memory Manipulation for Stealth
To avoid detection by traditional security tools, Sedexp employs memory manipulation techniques to hide its presence from common file listing commands, such as ls and find. By modifying the system’s memory, the malware can conceal its files from the user, making it much harder to spot using routine checks. This technique is especially useful in preventing the malware from being detected by security software that relies on file signatures or file system scans. Sedexp’s ability to manipulate memory not only hides its own files but can also be used to conceal other indicators of compromise, such as web shells or modified configuration files. By making these files invisible to the operating system’s standard tools, Sedexp significantly increases its chances of remaining undetected for extended periods.
Reverse Shell for Remote Control
Sedexp’s reverse shell capability is another key component of its functionality. Once the malware is successfully executed, it attempts to establish a connection back to a remote attacker-controlled server. This reverse shell allows the attacker to execute commands on the compromised system as if they had direct access to it, providing them with full control over the machine. The reverse shell is established by creating a socket connection to the attacker’s server. Once the connection is made, the malware redirects the system’s standard input/output streams (stdin, stdout, stderr) to the socket, allowing the attacker to send and receive commands. This process provides the attacker with the ability to execute arbitrary commands on the compromised system, potentially exfiltrating data, modifying system configurations, or further compromising the system.
Obfuscation and Self-Protection
In addition to using memory manipulation, Sedexp also obfuscates its presence in several ways. Upon execution, it may modify the process name to blend in with legitimate system processes, such as kdevtmpfs, using system calls to make it appear as a harmless process. This tactic ensures that the malware is less likely to be flagged by process monitoring tools or system administrators who might be scanning for suspicious activity. Additionally, Sedexp may copy itself to various locations on the system and modify its attributes to avoid detection by file integrity monitoring systems. It can also modify system files and configurations, such as Apache server settings, to further its objectives without raising suspicion.

MITRE Tactics and Techniques

Persistence (T1547):
The primary tactic associated with sedexp is Persistence, as it uses udev rules to ensure that it is executed whenever a device is added or the system reboots. The malware’s use of udev rules, a legitimate system feature, makes it difficult for traditional security measures to detect. This technique falls under the Persistence tactic because it ensures that the malware remains active on the system, even after reboots or device changes.
Privilege Escalation (T1548):
While sedexp does not appear to explicitly escalate privileges in the traditional sense (e.g., through the exploitation of vulnerabilities), its ability to interact with system processes and establish a reverse shell may indicate the need to interact with higher-privileged processes. For instance, the ability to execute arbitrary scripts or establish a reverse shell could require root or administrator privileges, which might be leveraged for further compromise.
Defense Evasion (T1070):
Sedexp employs Defense Evasion tactics, particularly by using memory manipulation to hide its files from standard detection tools. This is achieved by modifying the system’s memory to make files associated with sedexp invisible to commands like ls or find, allowing it to evade detection by security monitoring tools. This technique also helps to avoid detection by traditional file-based antivirus solutions.
Command and Control (T1071):
The Reverse Shell capability of sedexp is indicative of the Command and Control tactic. By setting up a reverse shell, the malware allows attackers to remotely access and control the compromised system. This allows them to issue commands, exfiltrate data, and maintain ongoing access to the victim machine.
Exfiltration (T1041):
In cases where sedexp is used for data theft, it may employ Exfiltration tactics. For example, if sedexp is involved in scraping credit card information or exfiltrating sensitive data from the system, it could use command-and-control channels to send stolen information to external servers controlled by the attackers.
Collection (T1119):
Sedexp may also be involved in Collection activities, particularly when it’s used to scrape sensitive data like credit card information from web servers. This tactic involves gathering information from the infected system, and sedexp’s ability to hide its presence while carrying out such activities makes it an effective tool for data collection.  
References:
  • Unveiling “sedexp”: A Stealthy Linux Malware Exploiting udev Rules
Tags: BackdoorsCryptographicInsuranceLinuxMalwaresedexpStroz Friedberg
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial