A recent discovery by Aon Security has unveiled a new Linux malware, dubbed “sedexp,” that managed to stay under the radar for two years. This stealthy malware has been actively targeting Linux systems since 2022, compromising devices while remaining undetected.
Organizations relying on Linux systems should be particularly vigilant and scan their devices for potential infiltration.
How Sedexp Exploits udev Rules #
The sedexp malware is linked to a financially motivated threat actor, focusing on maintaining persistent access to infected devices. It achieves this by exploiting udev rules—a critical component of the Linux device management system. These rules enable the system to “match devices and execute actions” when devices are added or removed.
This cleverly exploits this functionality by triggering its execution every time the /dev/random
file loads. Since this file is accessed during every system reboot, the malware runs consistently, hiding in plain sight and reactivating with each reboot.
Key Functions of Sedexp Malware #
The primary goal of sedexp is to maintain persistence on the infected device. However, it also carries out two other significant functions that make it particularly dangerous:
- Reverse Shell Capability: Sedexp provides attackers with full control over the target system through a reverse shell. This capability allows the attacker to execute commands and manipulate the system remotely, further compromising its security.
- Memory Modification: The malware actively modifies memory to conceal its presence. It hides any files containing the string “sedexp” from being detected by standard system commands, making it incredibly difficult to spot and remove.
Technical Analysis and Threat Implications #
Researchers from Aon Security have conducted an in-depth technical analysis of sedexp, detailing how this malware operates and the risks it poses. Although the exact identity of the threat actors remains unclear, the researchers have linked sedexp to credit card scraping activities. In these cases, hiding the malware code is crucial for the attackers to avoid detection while they siphon sensitive financial data.
Adding to its stealthy nature, the researchers found multiple public instances of sedexp in an online sandbox, all with zero detections. This finding underscores the malware’s sophisticated evasion techniques and highlights the importance of robust security measures.
Security Recommendations #
Given the stealthy nature of sedexp, it is essential for Linux users—especially organizations—to remain vigilant. Researchers strongly advise conducting regular forensic reviews of potentially compromised servers. Deploying adequate security measures, such as updated intrusion detection systems and consistent monitoring, can help prevent such threats from infiltrating and compromising critical systems.
In summary, the discovery of sedexp underscores the importance of proactive cybersecurity measures on Linux systems. Organizations should prioritize regular system scans and stay informed about emerging threats to safeguard their networks from persistent and undetected malware like sedexp.