New Linux Malware ‘sedexp’ Hides Credit Card Skimmers Using Udev Rules

Avatar
Cybersecurity researchers have uncovered a new stealthy piece of Linux malware that leverages an unconventional technique to achieve persistence on infected systems and hide credit card skimmer code. The malware, attributed to a financially motivated threat actor, has been codenamed sedexp by Aon’s Stroz Friedberg incident response services team. “This advanced threat, active since 2022, hides

Cybersecurity researchers have uncovered a new stealthy piece of Linux malware that leverages an unconventional technique to achieve persistence on infected systems and hide credit card skimmer code.

The malware, attributed to a financially motivated threat actor, has been codenamed sedexp by Aon’s Stroz Friedberg incident response services team.

“This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics,” researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto said.

It’s not surprising that malicious actors are constantly improvising and refining their tradecraft, and have turned to novel techniques to evade detection.

What makes sedexp noteworthy is its use of udev rules to maintain persistence. Udev, replacement for the Device File System, offers a mechanism to identify devices based on their properties and configure rules to respond when there is a change in the device state, i.e., a device is plugged in or removed.

Each line in the udev rules file has at least once key-value pair, making it possible to match devices by name and trigger certain actions when various device events are detected (e.g., trigger an automatic backup when an external drive is attached).

“A matching rule may specify the name of the device node, add symbolic links pointing to the node, or run a specified program as part of the event handling,” SUSE Linux notes in its documentation. “If no matching rule is found, the default device node name is used to create the device node.”

The udev rule for sedexp — ACTION==”add”, ENVMAJOR==”1″, ENVMINOR==”8″, RUN+=”asedexpb run:+” — is set up such that the malware is run whenever /dev/random (corresponds to device minor number 8) is loaded, which typically occurs upon every reboot.

Put differently, the program specified in the RUN parameter is executed every time after a system restart.

The malware comes with capabilities to launch a reverse shell to facilitate remote access to the compromised host, as well as modify memory to conceal any file containing the string “sedexp” from commands like ls or find.

Stroz Friedberg said in the instances it investigated, the capability has been put to use to hide web shells, altered Apache configuration files, and the udev rule itself.

“The malware was used to hide credit card scraping code on a web server, indicating a focus on financial gain,” the researchers said. “The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September

Next Post

Telegram Founder Pavel Durov Arrested in France for Content Moderation Failures

Related Posts

Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution

A new set of security vulnerabilities has been disclosed in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems that could permit remote command execution under certain conditions. "A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print
Avatar
Read More

Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials

A threat actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet's FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA. Volexity, which disclosed the findings Friday, said it identified the zero-day exploitation of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer behind DEEPDATA,
Avatar
Read More