Sedexp Malware Alert: Undetected Linux Threat Enables Remote Control

Aon has uncovered a new Linux malware named sedexp, which has remained undetected since 2022 due to its unique stealth techniques. This malware enables attackers to remotely control infected devices and execute attacks.

What sets sedexp apart is its use of udev rules to maintain persistence on compromised systems. Udev is a system that allows the automatic execution of specific actions when device states change, such as when a device is connected or disconnected. The malware adds its own rule to the system:

“`ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+““`

This rule is triggered when a new device is connected, checking if it meets the criteria for /dev/random, which allows the malware to be regularly executed at system startup. The malware also disguises itself as the legitimate process kdevtmpfs, making detection more challenging.

Furthermore, the malware can launch a reverse shell, enabling remote control of the infected machine. Sedexp also employs memory-hiding techniques to remain invisible to standard commands like ls or find and can alter memory to inject malicious code or modify the behavior of applications. In the cases investigated, such methods were used to conceal web shells, altered Apache configuration files, and the udev rule itself.

According to the research, the malware has been active since at least 2022 and was detected in several online sandboxes, but it was recognized by only two antivirus programs on the VirusTotal platform. It is also known that sedexp was used to steal credit card data from compromised web servers, indicating its involvement in attacks aimed at financial theft. The discovery of sedexp illustrates how financially motivated hackers are employing increasingly sophisticated techniques, moving beyond traditional ransomware.