Stealthy ‘sedexp’ Linux malware evaded detection for two years.
A stealthy Linux malware named ‘sedexp’ has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework.
The malware was discovered by risk management firm Stroz Friedberg, an Aon Insurance company, and enables its operators to create reverse shells for remote access and to further the the attack.
“At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK,” the researchers note, highlighting that sedexp is an advanced threat that hides in plain sight.
‘udev’ is a device management system for the Linux kernel responsible for handling device nodes in the /dev directory, which contains files that represent the hardware components avaialble on the system such as storage drives, network interfaces, and USB drives.
Node files are dynamically created and removed when the user connects/disconnects devices, while udev also handles the loading of appropriate drivers.
Udev rules are text configuration files that dictate how the manager should handle certain devices or events, located in ‘/etc/udev/rules.d/’ or ‘/lib/udev/rules.d/.’
These rules contain three parameters that specify its applicability (ACTION== “add”), the device name (KERNEL== “sdb1″), and what script to run when the specified conditions are met (RUN+=”/path/to/script”).
