New Linux Malware ‘sedexp’ Hides Credit Card Skimmers Using Udev Rules

Blog Image

Cybersecurity researchers have discovered a new stealthy Linux malware that employs an unconventional technique to maintain persistence and hide credit card skimmer code.

The malware, attributed to a financially motivated threat actor, has been named sedexp by Aon’s Stroz Friedberg incident response team.

Stealthy and Persistent Threat:
“This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics,” said researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto.

Malicious actors are constantly refining their methods to evade detection, and sedexp is no exception. It stands out due to its unique use of udev rules to maintain persistence.

How Udev Rules Enable Persistence:
Udev, a replacement for the Device File System, allows systems to recognize and configure devices dynamically when they are plugged in or removed.

Each udev rule contains key-value pairs that match device names and trigger actions when device events occur. For example, a rule can trigger an automatic backup when an external drive is connected.

sedexp's udev rule:
ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+"

This rule ensures the malware executes whenever /dev/random (minor number 8) is loaded, which typically happens upon every system reboot.

Key Capabilities of sedexp:
- Launches a reverse shell to enable remote access to the infected system.
- Modifies system memory to hide files containing the string "sedexp" from commands like ls or find.
- Conceals web shells, altered Apache configuration files, and its own udev rule.

Financially Motivated Attacks:
Investigations reveal that sedexp has been used to hide credit card skimming scripts on compromised web servers, indicating its focus on financial gain.

“The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware,” researchers warned.

This malware highlights the need for stronger Linux security measures, including monitoring udev rules for anomalies and restricting unauthorized system modifications.