A novel piece of Linux malware, which grants its operators the ability to remotely access the compromised device, has been hiding in plain sight for more than two years now, experts have warned.
Stroz Friedberg, which discovered the malware and wrote an in-depth explainer, said the malware is called “sedexp”, and has been evading detection since 2022.
While granting the attackers remote access to the vulnerable endpoint is important, it’s not this malware’s unique property. Instead, it’s the way it remained hidden for more than two years, and made sure most antivirus solutions didn’t detect it.
Udev rules abused
As per the report, sedexp went under the radar by using udev rules.
“At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK,” the researchers note.
Udev is a device manager for the Linux kernel, responsible for managing device nodes in the /dev directory. It dynamically creates and removes device nodes based on the devices connected to the system, such as USB drives, printers, and network interfaces. It also makes sure that each node gets the right driver loaded into memory.
Udev rules, on the other hand, are text configurations that tell the device manager how to work different devices or events. To run the malware, and make sure it remains hidden, it adds a specific rule to udev, the researchers explained. Finally, the malware names its process ‘kdevtmpfs’, the same as another, legitimate process, making detection even harder.
Stroz Friedberg believes this piece of malware has been used since at least 2022, and found it in numerous online sandboxes, none of which triggered any antiviruses. The researchers believe the malware was used to hide a credit card skimmer.
Via BleepingComputer