Newly discovered Linux malware "sedexp" has leveraged udev rules, which superseded Device File System in property-based device identification and device state change responses, to ensure persistence and concealment of credit card skimmer code since 2022, according to The Hacker News.
With the ability to deploy a remote shell allowing remote access to infected devices and memory modification, sedexp has been used by threat actors to facilitate the obfuscation of modified Apache configuration files, web shells, and the udev rule — which was noted by SUSE Linux to enable device node naming, node-pointing link inclusion, and specified program execution — a report from Aon's Stroz Friedberg incident response services team showed. "The malware was used to hide credit card scraping code on a web server, indicating a focus on financial gain. The discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond ransomware," said researchers.