A new linux virus named Sedexp, discovered by Aon, has been operating since 2022 with a unique method of remaining undetected. The malicious software allows attackers to remotely control infected devices and carry out attacks.
SEDEXP is distinct for utilizing UDEV rules to maintain stability on infected systems. UDEV is a system that automates certain actions when the status of devices changes. The virus adds its own rule to the system:
Action == “Add”, ENV {major} == “1”, ENV {minor} == “8”, run+= “asedexpb run:+”
This rule triggers when a new device is connected and verifies if it matches the criteria /dev/random, enabling the virus to regularly initiate on system startup. Sedexp also masquerades as the legitimate process of KDEVTMPFS, making detection more challenging.
The malicious software can execute Reverse Shell, granting remote control of the infected computer. Sedexp utilizes memory hiding techniques to evade standard commands like LS or Find, and can alter memory for malicious code introduction or application behavior modifications. In investigated cases, these methods were used to conceal web shells, alter Apache configuration files, and the UDEV rule itself.
Reports indicate that the virus has been active since at least 2022 and has been detected in various online scenarios, although only two antivirus programs on Virustotal platform have recognized it. SedExp has been implicated in data theft from credit cards on compromised web servers, suggesting the exploitation of payment card funds in theft-related assaults. The discovery of SEDEXP highlights the increasing complexity of financially-motivated hackers, surpassing conventional robbery techniques.