Security specialists recently discovered that the Linux malware variant “sedexp” evaded detection for two years by hiding in specific functions within the Linux kernel.
The Linux malware variant was discovered by risk management specialists at Stroz Rietberg, part of the AON Group. It has been active since 2022 and uses a previously unknown persistence technique.
The researchers indicate that this allowed the malware to operate undetected in recent years. Therefore, data on this was not present in the MITRE ATT&CK framework until now.
The sedexp malware allows hackers to create so-called “reverse shells” for remote systems access and launch further attacks. The malware mainly focuses on scrapping credit card information from compromised web servers and then helping attacks go further.
Attack technique
The fact that the malware went undetected for the past two years is because sexedep abuses so-called ‘udev rules.’ ‘Udev’ is a device management system for the Linux kernel and is responsible for the device nodes in the /dev directory. This directory contains files indicating available hardware within a system or server.
These node files are dynamically created and deleted when connecting and disconnecting devices. In addition, the udev option in Linux also takes care of loading the necessary drivers for this hardware.
Udev rules are text configuration files that specify how the administrator should handle certain devices or events. These are stored in the ‘/etc/udev/rules.d/’ or ‘/lib/udev/rules.d/’ locations.
These rules have three parameters that indicate the special functionality, i.e. ‘ACTION==”add”, the name of the device in question (KERNEL==”sdb1″) and which script should be run at specific conditions; (RUN+=”/path/to/script”).
The hackers added the undev-rule ‘ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” to compromised systems that ensures every newly attached device triggers a check to see if the highest and lowest numbers equal ‘/dev/random’. This command is loaded at system boot and used as a random number generator by multiple applications and system processes.
Security solutions do not monitor the aforementioned /dev/random component within Linux, which allows for easy hiding of this malware.
Operational effect malware
The malware eventually creates a so-called “kdvtmpfs” process that masquerades as a legitimate system process. This process mixes itself with other ‘normal’ activities, making it even more difficult to detect with conventional methods, the researchers further indicate.
During these operational processes, the malware uses forked or piped processes and a forked new process to set up a reverse shell. This reverse shell allows the attackers to remotely access an affected system.
In addition, the sedexp malware found uses various techniques to manipulate memory. One technique is to hide any file containing the sedexp string from standard commands such as “ls” or “fint.” This also hides the malware’s presence on a system.
Further, the sedexp malware can also modify memory content to inject malicious code or change the behavior of existing applications and system processes.
Countermeasures
As a countermeasure, the researchers state that companies should continuously update their detection capabilities for these types of attacks, implement clear security measures to counter these attacks and engage experts to perform forensic investigations to discover potentially compromised servers.
Also read: xz backdoor shows how vulnerable open-source is to hackers playing the long game