Stealthy Linux Malware ‘Sedexp’ Evades Detection with New Persistence Technique

by | Aug 26, 2024 | News




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

A newly discovered Linux malware named ‘sedexp’ has been silently operating since 2022, evading detection by using a persistence technique that is not yet recognized in the MITRE ATT&CK framework. Identified by cybersecurity experts from Stroz Friedberg, an Aon Insurance company, sedexp is a sophisticated threat that allows attackers to establish reverse shells for remote access, potentially leading to further system compromises.

Undocumented Persistence via Udev Rules

Sedexp’s persistence method revolves around exploiting ‘udev,’ a device management system integral to the Linux kernel. Udev manages device nodes in the /dev directory, which represents the hardware components on a system, such as storage drives and network interfaces. These nodes are dynamically created and removed as devices are connected or disconnected.

The persistence is achieved by manipulating udev rules, which are configuration files located in /etc/udev/rules.d/ or /lib/udev/rules.d/. These rules define how udev should handle certain devices or events, with parameters specifying the conditions and the script to be executed.

 

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Sedexp introduces the following rule into the compromised system:

ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+"

This rule triggers whenever a new device is added, specifically checking if its major and minor numbers match those of /dev/random, a critical system component loaded at boot time. /dev/random is used as a random number generator by various applications and processes, making it an ideal candidate for frequent triggering without raising suspicion.

The rule’s final component, RUN+="asedexpb run:+", executes the malware’s script whenever /dev/random is involved, ensuring the malware runs consistently and evades detection by leveraging a commonly trusted system component.

Establishing persistence on the systemEstablishing persistence on the system
Source: Aon

Advanced Operational Capabilities

Sedexp further disguises itself by naming its process ‘kdevtmpfs,’ mimicking a legitimate system process. This naming convention allows it to blend seamlessly with other system activities, making it difficult to identify through conventional monitoring tools.

Process naming to blend with system operationsProcess naming to blend with system operations
Source: Aon

The malware is designed to set up a reverse shell on the infected device, using either forkpty or pipes combined with a forked process. This reverse shell provides attackers with remote access to the compromised system.

Sedexp employs advanced memory manipulation techniques to conceal its presence. It hides files containing the string “sedexp” from being displayed in standard commands like ls or find, preventing easy detection. Additionally, it can modify memory contents to inject malicious code or alter the behavior of existing applications and system processes.

 



Detection and Impact

Sedexp has been active since at least 2022, remaining undetected in many instances. Researchers found it in multiple online sandboxes and noted that it was flagged as malicious by only two antivirus engines on VirusTotal. The malware has been linked to financially motivated attacks, particularly in hiding credit card scraping code on compromised web servers.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This