Skip to main content

Stealthy 'sedexp' #Linux #malware evaded #detection for two years


source: https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malware-evaded-detection-for-two-years/

Regarding its operational capabilities, the malware uses either forkpty or pipes and a forked new process to set up a reverse shell for the attacker to remotely access the infected device.

#Sedexp also employs memory #manipulation techniques to hide any file containing the string "sedexp" from standard commands like 'ls' or 'find,' concealing its presence on the system.


#software #news #security #cybersecurity #research #problem #cybercrime

#Linux #security #News #problem #software #cybersecurity #malware #cybercrime #research #detection #manipulation #Sedexp
in reply to anonymiss

Birne Helene
Birne Helene
The malware names its process' kdevtmpfs,' which mimics a legitimate system process, further blending in with normal activities and making it harder to detect using conventional methods.


Meaning, this:
ps aux | grep kdevtmpfs | awk '{print $2}' | xargs kill -9
would be bad advice.

in reply to anonymiss

lann
lann
It's not kdevtmpfs but kdevtmpfsi
ps aux | grep kdevtmpfsi | awk '{print $2}' | xargs kill -9
in reply to anonymiss

Birne Helene
Birne Helene 
:# ps aux | grep kdevtmpfs
root          69  0.0  0.0      0     0 ?        S    09:09   0:00 [kdevtmpfs]
root       26657  0.0  0.0   3348  1816 pts/8    S+   19:11   0:00 grep kdevtmpfs
in reply to anonymiss

utopiArte
utopiArte
I find this report "disturbing", to say at least, as it doesn't offer some simple console line/command and howTo to search for this intruder.
in reply to anonymiss

Birne Helene
Birne Helene

Removing the udev rule and regular scans for kdevtmpfs might help, I'd say.

for file in /etc/udev/rules.d/* /lib/udev/rules.d/*; do grep -H asedexpb $file; done

There will be no output on a system not infected.

Since the system process has been started early, its pid will be small, so any other process by the same name will be identifiable.

$((ps aux | grep kdevtmpfs | grep -v grep | awk '{print $2}'))

This will yield one process id on a clean system, and more than one on an infected one. You can then either kill the process manually or add | xargs kill -9 to the above line.
in reply to anonymiss

David
David 
$ for file in /etc/udev/rules.d/* /lib/udev/rules.d/*; do grep -H asedexpb $file; done
grep: /etc/udev/rules.d/*: No such file or directory

because /etc/udev/rules.d/ is empty

$ ps aux | grep kdevtmpfs | grep -v grep | awk '{print $2}'
37
in reply to anonymiss

Birne Helene
Birne Helene
@utopiArte The small pid in the example @David gave indicates a system process.
@David @utopiArte