Cybersecurity researchers have discovered a new piece of sneaky Linux malware that uses an unconventional technique to remain persistent on infected systems and hide credit card skimmer code.

The malware, which is attributed to a financially motivated threat actor, is codenamed sedexp by Aon’s Stroz Friedberg incident response services team.

“This advanced threat, active since 2022, is stealthy but offers attackers the ability to force an attack and use advanced tactics to hide,” said researchers Zachary Reichert, Daniel Stein and Joshua Pivirotto.

It is not surprising that malicious actors are constantly improvising and refining their techniques, and using new techniques to evade detection.

What makes sedexp notable is its use of udev rules to maintain persistence. Udev, the replacement for the Device File System, provides a mechanism to identify devices based on their properties and configure rules to react when there is a change in the device state, i.e. a device is connected or removed.

Each rule in the udev rules file contains at least one key-value pair, allowing devices to be associated with each other by name and certain actions to be triggered when various device events are detected (for example, triggering an automatic backup when an external drive is connected).

“A matching rule can specify the device node name, add symbolic links pointing to the node, or execute a specific program as part of event handling,” SUSE Linux notes in its documentation. “If no matching rule is found, the default device node name is used to create the device node.”

The udev rule for sedexp — ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” — is set to execute the malware whenever /dev/random (corresponding to device minor number 8) is loaded, which typically happens on every reboot.

In other words, the program specified in the RUN parameter will be executed every time the system restarts.

The malware has the ability to launch a reverse shell to gain remote access to the compromised host. It can also modify memory to hide files containing the string ‘sedexp’ from commands such as ls or find.

Stroz Friedberg said that in the investigated cases the ability to hide web shells, modified Apache configuration files, and the udev line itself was used.

“The malware was used to hide credit card scraping code on a web server, indicating a focus on financial gain,” the researchers said. “The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors that goes beyond ransomware.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we post.