Aon’s Cyber Solutions spotted a new malware family, called sedexp, that relies on a lesser-known Linux persistence technique. The malware has been active since at least 2022 but remained largely undetected for years. The experts pointed out that the persistence method employed by this malware is currently undocumented by MITRE ATT&CK.
The technique allows the malware to maintain persistence on infected systems and hide credit card skimmer codes.
Sedexp uses udev rules to maintain persistence. Udev is a system component that manages device events on Linux systems, allowing it to identify devices based on their properties and configure rules to trigger actions when devices are plugged in or removed. This innovative use of udev rules makes sedexp stand out as a persistence mechanism.
“During a recent investigation, Stroz Friedberg discovered malware using udev rules to maintain persistence. This technique allows the malware to execute every time a specific device event occurs, making it stealthy and difficult to detect.” reads the report published by AON. “This rule ensures that the malware is run whenever /dev/random is loaded. /dev/random is a special file that serves as a random number generator, used by various system processes and applications to obtain entropy for cryptographic operations, secure communications, and other functions requiring randomness. It is loaded by the operating system on every reboot, meaning this rule would effectively ensure that the sedexp script is run upon system reboot.”
The sedexp malware has two notable features:
ls
or find
, effectively concealing webshells, modified Apache configuration files, and the udev rule itself.The researchers believe that threat actor behind the malware sedexp is financially motivated.
“The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware. Leveraging rarely utilized persistence techniques like udev rules highlights the need for thorough and advanced forensic analysis.” concludes the report. “Organizations should continuously update their detection capabilities, implement comprehensive security measures to mitigate such threats, and ensure a capable DFIR firm is engaged to complete a forensic review of any possibly compromised servers.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware )