Stealthy ‘sedexp’ Linux malware evaded detection for two years

Linux

A stealthy Linux malware named ‘sedexp’ has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework.

The malware was discovered by risk management firm Stroz Friedberg, an Aon Insurance company, and enables its operators to create reverse shells for remote access and to further the the attack.

“At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK,” the researchers note, highlighting that sedexp is an advanced threat that hides in plain site.

Persisting via udev rules

udev‘ is a device management system for the Linux kernel responsible for handling device nodes in the /dev directory, which contains files that represent the hardware components avaialble on the system such as storage drives, network interfaces, and USB drives.

Node files are dynamically created and removed when the user connects/disconnects devices, while udev also handles the loading of appropriate drivers.

Udev rules are text configuration files that dictate how the manager should handle certain devices or events, located in ‘/etc/udev/rules.d/’ or ‘/lib/udev/rules.d/.’

These rules contain three parameters that specify its applicability (ACTION== “add”), the device name (KERNEL== “sdb1″), and what script to run when the specified conditions are met (RUN+=”/path/to/script”).

The sedexp malware adds the following udev rule on compromised systems:

ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+"

This rule triggers whenever a new device is added to the system, checking if its major and minor numbers match ‘/dev/random,’ which is loaded upon system boot and used as a random number generator by multiple apps and system processes.

The final rule component (RUN+= “asedexpb run:+”) executes the malware’s script ‘asedexpb,’ so by setting /dev/random as a precondition, the attackers ensure the malware is run frequently.

Most importantly, /dev/random is an essential system component on Linux that security solutions do not monitor. Hence, its abuse guarantees evasion for the malware.

Establishing persistence on the system
Establishing persistence on the system
Source: Aon

Primary operational capabilities

The malware names its process’ kdevtmpfs,’ which mimics a legitimate system process, further blending in with normal activities and making it harder to detect using conventional methods.

Process naming to blend with system operations
Process naming to blend with system operations
Source: Aon

Regarding its operational capabilities, the malware uses either forkpty or pipes and a forked new process to set up a reverse shell for the attacker to remotely access the infected device.

Sedexp also employs memory manipulation techniques to hide any file containing the string “sedexp” from standard commands like ‘ls’ or ‘find,’ concealing its presence on the system.

It can also modify memory contents to inject malicious code or alter the behavior of existing apps and system processes.

The researchers mention that the malware has been used in the wild since at least 2022. They found it present in many online sandboxes and without being detected (on VirusTotal only two antivirus engines flag as malicious the three sedexp samples available in the report).

According to Stroz Friedberg, the malware has been used to hide credit card scraping code on a web server compromised web servers, indicating involvement in financially motivated attacks.