Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The detection of the malware opens a new round of virus evolution.
Aon has discovered a new virus for Linux called sedexp, which has gone undetected since 2022 thanks to a unique stealth method. Malware allows attackers to remotely control infected devices and carry out attacks.
Sedexp is notable for using udev rules to maintain persistence on infected systems. Udev is a system that allows you to automatically perform certain actions when the state of devices changes (connect or disconnect). The malware adds its own rule to the system:
ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+"
The rule is activated when a new device is connected and checks if it meets the /dev/random criteria, which allows the virus to run regularly at system startup. The malware also disguises itself as the legitimate kdevtmpfs process, making it difficult to detect.
The malware also has the ability to run Reverse Shell, which allows you to remotely control the infected computer. Sedexp also uses memory hiding techniques to remain invisible to standard commands such as ls or find, and can modify memory to inject malicious code or change application behavior. In the cases under investigation, such methods were used to hide web shells, modified Apache configuration files, and the udev rule itself.
According to the study, the virus has been active since at least 2022 and has been detected in several online sandboxes, but only two antiviruses on the VirusTotal platform recognized it. It is also known that sedexp has been used to steal credit card data from compromised web servers, which indicates that it is used in attacks with the theft of funds from payment cards. The sedexp discovery shows how financially motivated hackers are using increasingly sophisticated methods to go beyond traditional ransomware.
Source
Aon has discovered a new virus for Linux called sedexp, which has gone undetected since 2022 thanks to a unique stealth method. Malware allows attackers to remotely control infected devices and carry out attacks.
Sedexp is notable for using udev rules to maintain persistence on infected systems. Udev is a system that allows you to automatically perform certain actions when the state of devices changes (connect or disconnect). The malware adds its own rule to the system:
ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+"
The rule is activated when a new device is connected and checks if it meets the /dev/random criteria, which allows the virus to run regularly at system startup. The malware also disguises itself as the legitimate kdevtmpfs process, making it difficult to detect.
The malware also has the ability to run Reverse Shell, which allows you to remotely control the infected computer. Sedexp also uses memory hiding techniques to remain invisible to standard commands such as ls or find, and can modify memory to inject malicious code or change application behavior. In the cases under investigation, such methods were used to hide web shells, modified Apache configuration files, and the udev rule itself.
According to the study, the virus has been active since at least 2022 and has been detected in several online sandboxes, but only two antiviruses on the VirusTotal platform recognized it. It is also known that sedexp has been used to steal credit card data from compromised web servers, which indicates that it is used in attacks with the theft of funds from payment cards. The sedexp discovery shows how financially motivated hackers are using increasingly sophisticated methods to go beyond traditional ransomware.
Source
