Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Linux malware sedexp uses udev rules for persistence and evasion

Researchers spotted a new stealthy Linux malware named sedexp that uses Linux udev rules to achieve persistence and evade detection. Aon’s Cyber Solutions spotted a new malware family, called sedexp, that relies on a lesser-known Linux persistence technique. The malware has been active since at least 2022 but remained largely undetected for years. The experts […]

Info-Stealing attacks

Researchers spotted a new stealthy Linux malware named sedexp that uses Linux udev rules to achieve persistence and evade detection.

Aon’s Cyber Solutions spotted a new malware family, called sedexp, that relies on a lesser-known Linux persistence technique. The malware has been active since at least 2022 but remained largely undetected for years. The experts pointed out that the persistence method employed by this malware is currently undocumented by MITRE ATT&CK.

The technique allows the malware to maintain persistence on infected systems and hide credit card skimmer codes.

Sedexp uses udev rules to maintain persistence. Udev is a system component that manages device events on Linux systems, allowing it to identify devices based on their properties and configure rules to trigger actions when devices are plugged in or removed. This innovative use of udev rules makes sedexp stand out as a persistence mechanism.

“During a recent investigation, Stroz Friedberg discovered malware using udev rules to maintain persistence. This technique allows the malware to execute every time a specific device event occurs, making it stealthy and difficult to detect.” reads the report published by AON. “This rule ensures that the malware is run whenever /dev/random is loaded. /dev/random is a special file that serves as a random number generator, used by various system processes and applications to obtain entropy for cryptographic operations, secure communications, and other functions requiring randomness. It is loaded by the operating system on every reboot, meaning this rule would effectively ensure that the sedexp script is run upon system reboot.”

The sedexp malware has two notable features:

  1. Reverse Shell Capability: It allows the attacker to maintain control over the compromised system remotely.
  2. Memory Modification for Stealth: The malware modifies memory to hide files containing the string “sedexp” from commands like ls or find, effectively concealing webshells, modified Apache configuration files, and the udev rule itself.

The researchers believe that threat actor behind the malware sedexp is financially motivated.

    “The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware. Leveraging rarely utilized persistence techniques like udev rules highlights the need for thorough and advanced forensic analysis.” concludes the report. “Organizations should continuously update their detection capabilities, implement comprehensive security measures to mitigate such threats, and ensure a capable DFIR firm is engaged to complete a forensic review of any possibly compromised servers.”

    Follow me on Twitter: @securityaffairs and Facebook and Mastodon

    Pierluigi Paganin

    (SecurityAffairs – hacking, malware )