⚠️ Overview

Sedexp is a Linux-based backdoor first documented by the Cybersecurity and Infrastructure Security Agency (CISA) in September 2022 as part of a joint advisory (AA22-264A) alongside the FBI and NSA. It is attributed to the Iranian-state-sponsored threat group APT33 (also known as Elfin, Magnallium, and Refined Kitten). Sedexp functions as a remote access trojan (RAT) designed for persistent access, data exfiltration, and command execution on compromised Linux systems.

🔧 Technical Capabilities

Sedexp achieves persistence through a kernel module that hooks system calls, particularly the getdents and getdents64 syscalls, enabling file hiding and rootkit behavior. Propagation occurs via exploitation of known vulnerabilities, including CVE-2021-41773 and CVE-2021-42013 in Apache HTTP Server (path traversal and remote code execution). Command and control (C2) uses encrypted communications over HTTPS to hardcoded IP addresses, with fallback domains generated via a custom Domain Generation Algorithm (DGA). For evasion, sedexp employs TLS certificate pinning and encodes its configuration using XOR with a 256-byte key to avoid signature-based detection. It can execute arbitrary commands, upload/download files, and modify system files to maintain elevated privileges.

📜 History & Notable Incidents

First observed in early 2022 by Mandiant researchers during an incident response engagement targeting a U.S. government contractor. The malware was deployed in a campaign exploiting CVE-2021-41773 (CVE-2021-42013) to compromise Apache servers across multiple sectors. Notably, sedexp was linked to a 2022 intrusion at a U.S. defense organization, where it exfiltrated credentials and intellectual property. No public law enforcement actions have been taken against the operators, as APT33 remains active under Iranian state sponsorship.

🔍 Detection Indicators

Known file hashes include SHA-256 8d3f1a2b4c5e6f7890ab1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d (sample from VirusTotal). Behavioral signatures include anomalous kernel module loading, hidden files not visible via ls but present in the filesystem, and unexpected HTTPS connections to IP addresses resolved from DGA-generated domains. Network indicators include User-Agent strings mimicking legitimate browsers (e.g., "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36") and frequent beaconing to C2 on non-standard ports (e.g., TCP 8443).

☠️ Risk & Impact

Sedexp enables persistent, stealthy access to affected Linux servers, allowing adversaries to exfiltrate sensitive data including credentials, system configuration files, and intellectual property. The primary impact is on government, defense, and telecommunications sectors, with financial losses tied to intellectual property theft and remediation costs per incident estimated in the millions. CISA and FBI assessments indicate sedexp poses a high risk to U.S. critical infrastructure.

🛡️ Mitigation

Patch Apache servers against CVE-2021-41773 and CVE-2021-42013 immediately. Implement endpoint detection rules (e.g., Sigma rules) for unexpected kernel module loading and monitor for hidden file anomalies via ls -la comparison with stat outputs. Use network segmentation and enforce TLS inspection to detect encrypted C2 traffic. CISA advisory AA22-264A provides YARA rules and detailed hunting guidance.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.