A new, devious piece of Linux malware, “sedexp,” that hides credit card skimmer code and employs an odd technique to stay active on infected systems has been found by cybersecurity researchers.
Researchers studying cybersecurity have discovered a new, cunning piece of Linux malware, “sedexp,” that conceals credit card skimmer code and uses an unusual method to remain active on affected devices. The malware has been given the codename “sedexp” by Aon’s Stroz Friedberg incident response services team, which believes it was created by a financially motivated threat actor. Researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto stated that “this advanced threat, active since 2022, hides in plain sight while providing attackers with advanced concealment tactics and reverse shell capabilities.” It should come as no surprise that malevolent actors are always modifying and honing their craft and have resorted to cutting-edge methods in order to avoid discovery.
Sedexp is unique in that it uses Udev rules to maintain persistence. The Device File System has been replaced by Udev, which provides a way to identify devices based on their attributes and set up rules to react when a device changes state—that is, when it is plugged in or unplugged. There is at least one key-value pair per line in the udev rules file, which allows for device name matching and the triggering of certain actions in response to detected device events (e.g., the automated backup when an external drive is inserted).
“A matching rule may specify the name of the device node, add symbolic links pointing to the node, or run a specified program as part of the event handling,” according to the documentation provided by SUSE Linux. “If no matching rule is found, the default device node name is used to create the device node.” The Sedexp udev rule for RUN+=”asedexpb run:+”, ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″ — is configured so that the virus launches on every reboot, or anytime /dev/random (corresponding to device minor number 8) is loaded. Stated differently, the application that is referenced by the RUN argument is run each time the system restarts.
The malware can be used to hide any file containing the string “sedexp” from tools like ls or find, and it can also initiate a reverse shell to provide remote access to the affected host. According to Stroz Friedberg, the ability has been used to conceal web shells, modified Apache configuration files, and the udev rule itself in the cases it has looked at. “The malware was used to hide credit card scraping code on a web server, indicating a focus on financial gain,” the investigators stated. “The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
