New ‘Sedexp’ Linux Malware Conceals Credit Card Skimmers

Cybersecurity experts have discovered a new, stealthy Linux malware that uses an unusual technique to establish persistence on infected systems while concealing credit card skimmer code. The malware, named ‘sedexp’ by a cybersecurity incident response team, is attributed to a financially motivated group and has been active since 2022.

The researchers highlighted that ‘sedexp’ is not just another piece of malware; it is designed to remain hidden while providing attackers with reverse shell capabilities and advanced methods to avoid detection.

In a constantly evolving landscape where cybercriminals refine their tactics, ‘sedexp’ stands out for its clever use of udev rules, which are typically used to manage device events on Linux systems.

Udev, the modern replacement for the Device File System, allows the creation of rules that define actions when devices are added or removed from the system. Each rule can include key-value pairs to match devices by name and trigger specific actions when device events occur, such as automatically starting a backup when an external drive is connected.

The malware cleverly manipulates these rules, specifically using the udev rule ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” to ensure that it runs every time the /dev/random device is loaded, which usually happens during system reboot. This ensures that the malware is executed whenever the system restarts, making it persistently active.

Beyond its persistence mechanisms, ‘sedexp’ has the capability to launch a reverse shell, granting remote access to the compromised system. It can also modify system memory to hide any files containing the string “sedexp” from common file listing commands like ls or find.

In the instances investigated, the malware has been used to conceal web shells, altered Apache configuration files, and even its own udev rule.

Researchers noted that the primary purpose of ‘sedexp’ appears to be financial gain, as it has been used to hide credit card skimming code on web servers. This discovery highlights the growing sophistication of financially motivated cybercriminals, who are increasingly turning to advanced techniques beyond traditional ransomware.

Preventing such advanced threats requires vigilant security practices. Regularly monitor and review udev rules, as well as other system configurations, to detect any unauthorized changes. Employ comprehensive security solutions that can identify and block abnormal behaviors, such as unauthorized remote access or file manipulation.

Additionally, educating IT staff on emerging threats and advanced evasion techniques can strengthen an organization’s defense against these evolving cyber threats.