Researchers at Aon’s Stroz Friedberg incident response services, uncovered a new stealthy linux malware “sedexp” This malware, which has been active since 2022, is designed with the specific intent of evading detection while maintaining persistence on infected systems. Its primary target? Financial data, particularly through the use of credit card skimming techniques.
The Emergence of Sedexp: New Stealthy Linux Malware
Cybercriminals are known for their constant innovation, always seeking new ways to bypass security measures and extract value from their targets. Sedexp is a prime example of this trend, using unconventional methods to achieve its malicious objectives. According to researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto from Aon’s Stroz Friedberg team, sedexp is notable for its advanced concealment tactics and its ability to provide attackers with reverse shell capabilities.
The discovery of sedexp underscores the evolving landscape of cybersecurity threats, where attackers are increasingly using sophisticated methods to maintain a foothold on compromised systems without detection. This malware is not just another strain of Linux malware; it represents a significant advancement in the tactics employed by financially motivated threat actors.
Unconventional Persistence: The Role of Udev Rules
What sets this New Stealthy Linux Malware sedexp apart from other malware is its use of udev rules to maintain persistence on infected systems. Udev, a system component in Linux that manages device nodes in the /dev directory, is typically used to configure rules that respond to changes in device states, such as when a device is plugged in or removed.
Sedexp as a new stealthy linux malware leverages this system by configuring a udev rule that triggers its execution whenever the /dev/random device is loaded, which typically happens during every reboot. The udev rule for sedexp is designed to ensure that the malware runs automatically upon system startup, making it incredibly difficult to remove without deep system knowledge.
The rule specified is as follows:
makefileCopy codeACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+"
This rule ensures that the malware is executed whenever the device with major number 1 and minor number 8 (corresponding to /dev/random) is loaded. This technique is particularly insidious because it allows the malware to hide in plain sight, blending in with legitimate system processes.
Concealment Tactics: Hiding in Plain Sight
Sedexp is not just about persistence; it’s also about concealment. The malware is designed to modify system memory in such a way that any file containing the string “sedexp” is hidden from standard command-line tools like ls or find. This capability makes it extremely difficult for system administrators to detect the presence of the malware using traditional methods.
In the instances investigated by Stroz Friedberg, sedexp was used to hide various malicious components, including web shells, altered Apache configuration files, and the udev rule itself. The malware’s ability to hide these components is crucial for its operation, as it allows attackers to maintain control over compromised systems for extended periods without raising suspicion.
Financial Motive: Credit Card Skimming
The ultimate goal of this new stealthy linux malware, according to the researchers, is financial gain. In the cases studied, the malware was used to hide credit card scraping code on web servers, indicating a clear focus on stealing sensitive financial information. This discovery highlights the growing sophistication of cybercriminals who are shifting their focus from traditional ransomware attacks to more covert operations aimed at stealing valuable data.
The Broader Implications for Cybersecurity
The discovery of sedexp is a stark reminder of the ongoing threat posed by sophisticated malware to businesses and individuals alike. As cybersecurity measures become more advanced, so too do the tactics employed by cybercriminals. The use of udev rules for persistence and advanced concealment techniques shows that attackers are constantly adapting their strategies to stay ahead of detection.
For businesses, especially those handling sensitive financial data, this development underscores the importance of regular security audits and robust cybersecurity measures. Ensuring that systems are regularly checked for unusual activity and that security protocols are up-to-date is essential in defending against threats like sedexp.
Conclusion: Staying Vigilant Against Emerging Threats
The emergence of sedexp as a new and dangerous piece of malware serves as a reminder that cybersecurity is a constantly evolving field. Businesses must remain vigilant and proactive in their efforts to protect sensitive data from increasingly sophisticated threats. As researchers continue to uncover and analyze these threats, it is crucial for organizations to stay informed and adapt their security strategies accordingly.
For those looking to bolster their cybersecurity measures, it is advisable to engage with professional services that specialize in identifying and mitigating these kinds of threats. The discovery of sedexp is just one example of how critical it is to stay ahead of the curve in the ever-changing landscape of cybersecurity.
Credit: Information in this article is based on findings by Zachary Reichert, Daniel Stein, and Joshua Pivirotto from Aon’s Stroz Friedberg incident response services team.
original source
