Cybersecurity researchers have discovered a new Linux malware that uses a unique technique to hide credit card skimmer code and maintain persistence on compromised systems.
Known as sedexp, the malware is linked to a financially motivated threat actor and has been active since 2022, according to Aon’s Stroz Friedberg incident response services team.
According to researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto, the malware uses advanced tactics to provide attackers with reverse shell capabilities and evade detection.
Malicious actors are constantly improving their techniques, and sedexp stands out for its use of udev rules to ensure persistence. Udev is a mechanism used to identify devices based on their properties and trigger actions in response to device state changes.
The udev rule for sedexp is set up to run the malware on system restarts, ensuring that it remains active on the infected system. This allows the malware to launch a reverse shell for remote access and conceal its presence on the compromised host.
In instances investigated by Stroz Friedberg, sedexp was used to hide web shells, altered Apache configuration files, and credit card scraping code on a web server, indicating a focus on financial gain by the threat actors.
The discovery of sedexp showcases the evolving sophistication of financially motivated threat actors beyond traditional ransomware attacks.