This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics," researchers Zachary Reichert, Daniel Stein, and Joshua Pivirotto said.
The udev rule for sedexp -- ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+" -- is set up such that the malware is run whenever /dev/random (corresponds to device minor number 8) is loaded, which typically occurs upon every reboot.
It's not surprising that malicious actors are constantly improvising and refining their tradecraft, and have turned to novel techniques to evade detection, indicating a persistent evolution in the cybersecurity landscape.
A matching rule may specify the name of the device node, add symbolic links pointing to the node, or run a specified program as part of the event handling, showing the versatility of udev rules in system management.
Collection
[
|
...
]