Unveiling sedexp: A Stealthy Linux Malware Exploiting udev Rules

The sedexp malware begins its attack by exploiting udev rules to maintain persistence on a Linux system. This allows the malware to execute malicious scripts whenever specific device events occur, such as when the /dev/random device is loaded. BlueRock's Container Drift Protection (Binaries & Scripts) can mitigate this by preventing unauthorized executables and scripts from running, ensuring that only binaries present in the original container image are executed. The malware also provides reverse shell capabilities, allowing attackers to maintain control over the compromised system. BlueRock's Reverse Shell Protection effectively counters this by blocking unauthorized attempts to bind shell input and output streams to network sockets, thus preventing reverse shell attacks. Additionally, the malware's potential to escape from a containerized environment is mitigated by BlueRock's Container Capability Control, which restricts container capabilities to prevent actions that could lead to container escapes, such as mounting the host filesystem or executing privileged commands. These mechanisms collectively enhance the security posture against the sophisticated tactics employed by sedexp.

• T1547.010: Boot or Logon Autostart Execution: Port Monitors: The initial compromise of the system is not explicitly described, but the article implies that the malware was able to get onto the system. This could have been through various means, but since it's not detailed, we start with the first clear technique: the malware achieving persistence through udev rules. 'Sedexp utilizes udev rules to maintain persistence.'
• T1053.005: Scheduled Task/Job: Scheduled Task: The udev rule ensures that the malware is run whenever /dev/random is loaded, which happens on every system reboot. 'This rule ensures that the malware is run whenever /dev/random is loaded. /dev/random is a special file that serves as a random number generator, used by various system processes and applications to obtain entropy for cryptographic operations, secure communications, and other functions requiring randomness.'
• T1219: Remote Access Software: The malware includes a reverse shell capability, allowing the attacker to maintain control over the compromised system. 'Reverse Shell Capability: It includes a reverse shell, allowing the threat actor to maintain control over the compromised system.'
• T1564.001: Hide Artifacts: Hidden Files and Directories: The malware modifies memory to hide any file containing the string 'sedexp' from commands like ls or find. 'Memory Modification for Stealth: The malware modifies memory to hide any file containing the string "sedexp" from commands like ls or find.'
• T1036.004: Masquerading: Masquerade Task or Service: The malware manipulates arguments to obfuscate its presence and changes the process name to blend in with legitimate system processes. 'Memory Allocation and Argument Handling: The malware manipulates arguments to obfuscate its presence. It changes the process name to kdevtmpfs using prctl to blend in with legitimate system processes.'
• T1547.010: Boot or Logon Autostart Execution: Port Monitors: The malware sets up persistence by copying itself to a specific location and creating a udev rule. 'Persistence Setup: The malware sets up persistence by copying itself to a specific location and creating a udev rule.'
• T1110.001: Brute Force: Password Guessing: The malware was used to hide credit card scraping code on a webserver, indicating a focus on financial gain. 'Credit Card Scraping: The malware was used to hide credit card scraping code on a webserver, indicating a focus on financial gain.'
• T1611: Escape to Host: The malware could theoretically be used to escape outside of a containerized workload.

‍