ClickCease Sedexp Malware: The Stealthy Linux Threat Evading Detection

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Sedexp Malware: The Stealthy Linux Threat Evading Detection

Rohan Timalsina

September 10, 2024 - TuxCare expert team

A new, sophisticated Linux malware named “sedexp” has been discovered, quietly evading detection since 2022. Its unique persistence technique, leveraging udev rules, has allowed it to operate under the radar, making it a particularly dangerous threat. This article explores how this malware operates, its unique evasion strategies, and the implications for Linux security.

 

How Does sedexp Work?

 

Sedexp, as identified by risk management firm Stroz Friedberg, can provide attackers with remote access to compromised systems. By exploiting the udev device management system, the malware ensures its persistence, making it difficult to eradicate. Udev rules are configuration files that define how the Linux kernel should handle specific devices or events.

On compromised systems, sedexp injects the following udev rule:

ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+"

It leverages these rules to execute its malicious code whenever a new device is added to the system. By setting this as a condition, it ensures that its script, asedexpb, runs frequently, as /dev/random is loaded during system boot and utilized by numerous applications and processes.

 

Sedexp’s Impact in the Wild

 

Stroz Friedberg’s analysis reveals that the malware has been actively used since at least 2022 and has been discovered in several online sandboxes. Despite its presence in these environments, it has managed to avoid widespread detection; only two antivirus engines on VirusTotal flagged any of the three sedexp samples analyzed in the report as malicious.

One of the more alarming aspects of sedexp’s deployment is its use in financially motivated attacks. The malware has been linked to credit card scraping on compromised web servers, suggesting that attackers are leveraging it to steal sensitive financial data.

 

Conclusion

 

By exploiting udev rules—a technique not yet documented by existing frameworks—sedexp exemplifies how attackers continuously adapt to bypass established security measures. Its ability to evade detection and its potential for malicious activities make it a significant threat to Linux systems.

To mitigate the risk posed by threats like sedexp, organizations must adopt a proactive approach to security, including regular updates to detection tools and frameworks, rigorous monitoring of system processes, and a thorough understanding of how unconventional persistence techniques might be employed by adversaries.

To modernize your Linux patching approach, consider implementing KernelCare Enterprise live patching, which enables automated kernel patches for all popular enterprise Linux distributions without requiring a system reboot. Learn more about KernelCare Enterprise here.

 

The sources for this article include a story from BleepingComputer.

Summary
Sedexp Malware: The Stealthy Linux Threat Evading Detection
Article Name
Sedexp Malware: The Stealthy Linux Threat Evading Detection
Description
Discover how sedexp, a stealthy Linux malware, uses udev rules to gain remote access. Protect your systems from this advanced threat.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter