Sedexp Malware: The Stealthy Linux Threat Evading Detection
A new, sophisticated Linux malware named “sedexp” has been discovered, quietly evading detection since 2022. Its unique persistence technique, leveraging udev rules, has allowed it to operate under the radar, making it a particularly dangerous threat. This article explores how this malware operates, its unique evasion strategies, and the implications for Linux security.
How Does sedexp Work?
Sedexp, as identified by risk management firm Stroz Friedberg, can provide attackers with remote access to compromised systems. By exploiting the udev device management system, the malware ensures its persistence, making it difficult to eradicate. Udev rules are configuration files that define how the Linux kernel should handle specific devices or events.
On compromised systems, sedexp injects the following udev rule:
ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+"
It leverages these rules to execute its malicious code whenever a new device is added to the system. By setting this as a condition, it ensures that its script, asedexpb, runs frequently, as /dev/random
is loaded during system boot and utilized by numerous applications and processes.
Sedexp’s Impact in the Wild
Stroz Friedberg’s analysis reveals that the malware has been actively used since at least 2022 and has been discovered in several online sandboxes. Despite its presence in these environments, it has managed to avoid widespread detection; only two antivirus engines on VirusTotal flagged any of the three sedexp samples analyzed in the report as malicious.
One of the more alarming aspects of sedexp’s deployment is its use in financially motivated attacks. The malware has been linked to credit card scraping on compromised web servers, suggesting that attackers are leveraging it to steal sensitive financial data.
Conclusion
By exploiting udev rules—a technique not yet documented by existing frameworks—sedexp exemplifies how attackers continuously adapt to bypass established security measures. Its ability to evade detection and its potential for malicious activities make it a significant threat to Linux systems.
To mitigate the risk posed by threats like sedexp, organizations must adopt a proactive approach to security, including regular updates to detection tools and frameworks, rigorous monitoring of system processes, and a thorough understanding of how unconventional persistence techniques might be employed by adversaries.
To modernize your Linux patching approach, consider implementing KernelCare Enterprise live patching, which enables automated kernel patches for all popular enterprise Linux distributions without requiring a system reboot. Learn more about KernelCare Enterprise here.
The sources for this article include a story from BleepingComputer.