Sedexp (Backdoor) – Malware

Overview

In the ever-evolving landscape of cyber threats, a new and particularly stealthy malware has emerged, known as sedexp. First identified by Stroz Friedberg in 2022, sedexp represents a new wave of financially motivated attacks that target Linux systems. This malware stands out not only for its advanced capabilities but also for its innovative use of udev rules, a feature within the Linux operating system typically used for device management, to achieve persistence and evade detection. By manipulating the system’s udev configuration files, sedexp ensures that it remains active on a compromised system, often hiding in plain sight and difficult to detect with traditional security methods.

What makes sedexp particularly alarming is its ability to operate under the radar while providing attackers with a robust set of features for maintaining long-term control over infected systems. At its core, sedexp employs a combination of memory manipulation, stealth techniques, and reverse shell capabilities to maintain persistent access to compromised machines. This allows attackers to continue their malicious activities—such as data exfiltration or further system exploitation—without triggering alarms from conventional security tools. Moreover, the malware’s use of udev rules adds an extra layer of sophistication, as it exploits a legitimate system feature to carry out its operations, making it harder for defenders to detect and remove.

Targets

Information

Finance and Insurance

How they operate

Persistence Through udev Rules

One of the core features of Sedexp is its ability to achieve persistence through the manipulation of udev rules, a crucial component of Linux’s device management system. Udev is responsible for managing device nodes in the /dev directory and responding to hardware events, such as the addition or removal of devices. Sedexp leverages this system by creating specific udev rules that automatically trigger the execution of the malware whenever certain devices are added or specific conditions are met.

For example, the malware may use a rule that triggers execution when a device with a certain major and minor number is added, specifically targeting the /dev/random device. This special file is used for cryptographic random number generation and is loaded by the operating system during each reboot. By creating such a rule, Sedexp ensures that the malware runs every time the system starts up or certain hardware events occur, giving it a strong foothold on the compromised system.

Memory Manipulation for Stealth

To avoid detection by traditional security tools, Sedexp employs memory manipulation techniques to hide its presence from common file listing commands, such as ls and find. By modifying the system’s memory, the malware can conceal its files from the user, making it much harder to spot using routine checks.

This technique is especially useful in preventing the malware from being detected by security software that relies on file signatures or file system scans. Sedexp’s ability to manipulate memory not only hides its own files but can also be used to conceal other indicators of compromise, such as web shells or modified configuration files. By making these files invisible to the operating system’s standard tools, Sedexp significantly increases its chances of remaining undetected for extended periods.

Reverse Shell for Remote Control

Sedexp’s reverse shell capability is another key component of its functionality. Once the malware is successfully executed, it attempts to establish a connection back to a remote attacker-controlled server. This reverse shell allows the attacker to execute commands on the compromised system as if they had direct access to it, providing them with full control over the machine.

The reverse shell is established by creating a socket connection to the attacker’s server. Once the connection is made, the malware redirects the system’s standard input/output streams (stdin, stdout, stderr) to the socket, allowing the attacker to send and receive commands. This process provides the attacker with the ability to execute arbitrary commands on the compromised system, potentially exfiltrating data, modifying system configurations, or further compromising the system.

Obfuscation and Self-Protection

In addition to using memory manipulation, Sedexp also obfuscates its presence in several ways. Upon execution, it may modify the process name to blend in with legitimate system processes, such as kdevtmpfs, using system calls to make it appear as a harmless process. This tactic ensures that the malware is less likely to be flagged by process monitoring tools or system administrators who might be scanning for suspicious activity.

Additionally, Sedexp may copy itself to various locations on the system and modify its attributes to avoid detection by file integrity monitoring systems. It can also modify system files and configurations, such as Apache server settings, to further its objectives without raising suspicion.

MITRE Tactics and Techniques

Persistence (T1547):

The primary tactic associated with sedexp is Persistence, as it uses udev rules to ensure that it is executed whenever a device is added or the system reboots. The malware’s use of udev rules, a legitimate system feature, makes it difficult for traditional security measures to detect. This technique falls under the Persistence tactic because it ensures that the malware remains active on the system, even after reboots or device changes.

Privilege Escalation (T1548):

While sedexp does not appear to explicitly escalate privileges in the traditional sense (e.g., through the exploitation of vulnerabilities), its ability to interact with system processes and establish a reverse shell may indicate the need to interact with higher-privileged processes. For instance, the ability to execute arbitrary scripts or establish a reverse shell could require root or administrator privileges, which might be leveraged for further compromise.

Defense Evasion (T1070):

Sedexp employs Defense Evasion tactics, particularly by using memory manipulation to hide its files from standard detection tools. This is achieved by modifying the system’s memory to make files associated with sedexp invisible to commands like ls or find, allowing it to evade detection by security monitoring tools. This technique also helps to avoid detection by traditional file-based antivirus solutions.

Command and Control (T1071):

The Reverse Shell capability of sedexp is indicative of the Command and Control tactic. By setting up a reverse shell, the malware allows attackers to remotely access and control the compromised system. This allows them to issue commands, exfiltrate data, and maintain ongoing access to the victim machine.

Exfiltration (T1041):

In cases where sedexp is used for data theft, it may employ Exfiltration tactics. For example, if sedexp is involved in scraping credit card information or exfiltrating sensitive data from the system, it could use command-and-control channels to send stolen information to external servers controlled by the attackers.

Collection (T1119):

Sedexp may also be involved in Collection activities, particularly when it’s used to scrape sensitive data like credit card information from web servers. This tactic involves gathering information from the infected system, and sedexp’s ability to hide its presence while carrying out such activities makes it an effective tool for data collection.

References:

• Unveiling “sedexp”: A Stealthy Linux Malware Exploiting udev Rules