Stroz Friedberg identified sedexp, a Linux malware that persists via a novel udev rule technique. The activity has been ongoing since at least 2022, with low sandbox detections and a financially motivated focus on credit card scraping. #sedexp #creditcardscraping
Keypoints
- Stroz Friedberg identified sedexp using a novel Linux persistence technique via udev rules.
- The malware has been active since at least 2022 and shows low detection in online sandboxes.
- It leverages a udev rule to persist by executing on device events, such as /dev/random.
- The identified udev rule triggers when /dev/random is loaded, enabling execution at reboot.
- Sedexp features include reverse shell capabilities and memory manipulation to hide its presence.
- The malware is associated with financially motivated threat actors focusing on credit card scraping.
- Organizations should enhance detection capabilities and conduct thorough forensic analysis.
MITRE Techniques
- [T1547] Persistence – Udev rules to maintain persistence on Linux systems. Quote: ‘Utilizes udev rules to maintain persistence on Linux systems.’
- [T1071] Command and Control – Reverse shell for remote access. Quote: ‘The malware includes a reverse shell, allowing the threat actor to maintain control over the compromised system.’
- [T1027] Obfuscated Files or Information – Memory manipulation to hide its presence. Quote: ‘memory manipulation to hide any file containing the string “sedexp” from commands like ls or find.’
Indicators of Compromise
- [SHA256] Sample hashes – 43f72f4cdab8ed40b2f913be4a55b17e7fd8a7946a636adb4452f685c1ffea02, 94ef35124a5ce923818d01b2d47b872abd5840c4f4f2178f50f918855e0e5ca2, b981948d51e344972d920722385f2370caf1e4fac0781d508bc1f088f477b648
Read more: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp