Experts warn that a new piece of Linux malware that allows administrators to remotely access the compromised device has been hiding in plain sight for more than two years.
Stroz Friedberg, who discovered the malware and wrote an extensive explainer, said the malware is called “sedexp” and has eluded detection since 2022.
While it is important to give the attackers remote access to the vulnerable endpoint, this is not the unique feature of this malware. Instead, it is the way it managed to remain hidden for over two years and escape detection by most antivirus solutions.
Udev rules abused
According to the report, sedexp went undetected due to the use of udev rules.
“At the time of writing this paper, the persistence technique used (udev rules) had not yet been documented by MITRE ATT&CK,” the researchers note.
Udev is a device manager for the Linux kernel, responsible for managing device nodes in the /dev directory. It dynamically creates and removes device nodes based on the devices attached to the system, such as USB drives, printers, and network interfaces. It also ensures that each node has the correct driver loaded into memory.
Udev rules, on the other hand, are text configurations that tell the device manager how to execute various devices or events. To execute the malware and ensure it remains stealthy, it adds a specific rule to udev, the researchers explained. Finally, the malware names its process “kdevtmpfs,” the same as another, legitimate process, making detection even harder.
Stroz Friedberg believes this piece of malware has been in use since at least 2022, and found it in numerous online sandboxes, none of which triggered an antivirus program. The researchers believe the malware was used to hide a credit card skimmer.
Via BleepingComputer