Unveiling “sedexp”: A Stealthy Linux Malware Exploiting udev Rules
by Zachary Reichert
August 19. 2024
https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp
| Notes |
|---|
| Stroz Friedberg |
| malware |
| Linux malware |
| Linux |
| sedexp |
| udev |
| udev rules |
| persistence |
| evasion |
| reverse shell |
| MITRE ATT&CK |
| udev persistence was not documented in ATT&CK |
| financially motivated threat actor |
| /dev |
| Linux kernel |
| device node |
| hotplug |
| USB |
| etc/udev/rules.d |
| lib/udev/rules.d |
| udev rule format: ACTION, ENV{MAJOR}, ENV{MINOR}, RUN |
| /dev/random |
| memory modification for stealth |
| webshell |
| Apache |
| changes process name to kdevtmpfs using prctl |
| prctl |
| blend in with legitimate processes |
| readlink() |
| /proc/self/exe |
| threat intelligence |
| credit card scraping |
| OSINT |
| online sandboxes had zero detections |
| been in use since at least 2022 |
| DFIR |
| Samples |
|---|
| 43f72f4cdab8ed40b2f913be4a55b17e7fd8a7946a636adb4452f685c1ffea02 |
| 94ef35124a5ce923818d01b2d47b872abd5840c4f4f2178f50f918855e0e5ca2 |
| b981948d51e344972d920722385f2370caf1e4fac0781d508bc1f088f477b648 |