This sneaky Linux malware went undetected for years, and is using all-new attack tactics
The method used by this malware had never been seen before
A novel piece of Linux malware, which grants its operators the ability to remotely access the compromised device, has been hiding in plain sight for more than two years now, experts have warned.
Stroz Friedberg, which discovered the malware and wrote an in-depth explainer, said the malware is called “sedexp”, and has been evading detection since 2022.
While granting the attackers remote access to the vulnerable endpoint is important, it’s not this malware’s unique property. Instead, it’s the way it remained hidden for more than two years, and made sure most antivirus solutions didn’t detect it.
Udev rules abused
As per the report, sedexp went under the radar by using udev rules.
"At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK," the researchers note.
Udev is a device manager for the Linux kernel, responsible for managing device nodes in the /dev directory. It dynamically creates and removes device nodes based on the devices connected to the system, such as USB drives, printers, and network interfaces. It also makes sure that each node gets the right driver loaded into memory.
Udev rules, on the other hand, are text configurations that tell the device manager how to work different devices or events. To run the malware, and make sure it remains hidden, it adds a specific rule to udev, the researchers explained. Finally, the malware names its process ‘kdevtmpfs’, the same as another, legitimate process, making detection even harder.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Stroz Friedberg believes this piece of malware has been used since at least 2022, and found it in numerous online sandboxes, none of which triggered any antiviruses. The researchers believe the malware was used to hide a credit card skimmer.
Via BleepingComputer
More from TechRadar Pro
- This dangerous new Linux malware is going after VMware systems with multiple extortion attempts
- Here's a list of the best firewall software around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.