Cybersecurity experts have discovered a new Concealed Linux malware that uses a unique approach to maintain persistence on compromised systems and conceal credit card skimming code.
Malicious actors are continually adapting and enhancing their tactics, often employing innovative methods to avoid detection, which is unsurprising given the evolving nature of cyber threats.
The malware includes features that enable it to establish a reverse shell for remote access to the infected system and to alter memory in order to hide any file containing the string “sedexp” from commands like ls or find.
The Malware Uses udev Rules to Ensure Persistence.
Udev, which replaces the Device File System, provides a way to identify devices by their attributes and set rules that trigger responses when the device’s state changes, such as when a device is inserted or removed.
Each entry in the udev rules file contains at least one key-value pair, allowing devices to be matched by name and specific actions to be initiated in response to various device events.
SUSE Linux documentation explains that a rule can specify the device node name, create symbolic links pointing to the node, or execute a designated program as part of the event handling,” notes SUSE Linux. “If no rule matches, the default device node name is used.”
For the sedexp malware, the udev rule — ACTION==”add”, ENV{MAJOR}==”1″, ENV{MINOR}==”8″, RUN+=”asedexpb run:+” — ensures that the malware is executed whenever /dev/random (corresponding to device minor number 8) is activated, which usually happens during each reboot.