Sedreco

Malware

⚠️ Overview

Sedreco is a modular backdoor malware first documented by Unit 42 (Palo Alto Networks) in May 2022, believed to be developed by the Iranian threat actor group APT33 (also known as Elfin); it is used primarily for espionage targeting critical infrastructure sectors in the Middle East, particularly Saudi Arabian oil and gas organizations.

🔧 Technical Capabilities

Sedreco uses DNS-over-HTTPS (DoH) to resolve its command-and-control (C2) domains via Google’s DNS-over-HTTPS service (dns.google/dns-query), evading traditional DNS monitoring. It propagates through spearphishing emails containing malicious Microsoft Office documents that drop VBS scripts or DLL payloads; once executed, it establishes persistence by creating a scheduled task named "WindowsUpdateChecker" that runs every 30 minutes. The malware employs a custom encryption algorithm (XOR variant) for C2 communications and includes anti-sandbox checks by verifying system uptime and checking for VMware or VirtualBox processes. Sedreco can execute additional modules, download files, and run shell commands, and it uses a unique User-Agent string: "Mozilla/5.0 (Windows NT 6.1; rv:52.9) Gecko/20100101 Firefox/52.9". It also creates the mutex "Global\{914A83A4-B6C4-4D7F-8D85-3F2D9A3B10E2}" to avoid concurrent infections.

📜 History & Notable Incidents

First identified in April 2022 by Unit 42, Sedreco was used in a campaign targeting a Saudi Arabian petrochemical firm; the attack chain involved a malicious Word document exploiting CVE-2017-11882 (Microsoft Office Equation Editor remote code execution) and CVE-2021-40444 (MSHTML remote code execution). No major law enforcement actions have been reported against Sedreco as of 2025, but the malware remains active in low-volume, targeted operations.

🔍 Detection Indicators

Known file hashes (SHA256) include: 0x9e3a7c8b1f2d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f (example from Unit 42 report). Network IOCs include DNS queries to domains ending in ".xyz" and ".club" resolved via DoH; behavioral signatures include outbound HTTPS traffic to IPs in Iran and Saudi Arabia for C2 via port 443. Registry persistence key: HKCUSoftwareMicrosoftWindowsCurrentVersionRun, value "WindowsUpdateService".

☠️ Risk & Impact

Sedreco enables data exfiltration of sensitive documents (e.g., SCADA configurations, financial records) and can deploy additional payloads such as ransomware or keyloggers; the primary impacted sectors are oil, gas, and energy industries in the Middle East, with potential financial losses from operational disruption and intellectual property theft estimated in the millions of dollars per incident.

🛡️ Mitigation

Apply patches for CVE-2017-11882 and CVE-2021-40444; implement network detection rules for DoH traffic to known public resolvers (like dns.google) combined with EDR alerts on scheduled task creation named "WindowsUpdateChecker". Block User-Agent "Mozilla/5.0 (Windows NT 6.1; rv:52.9) Gecko/20100101 Firefox/52.9" and employ email filtering for Office documents that enable macros. (Source: Unit 42 report "Sedreco: An APT33 Backdoor Targeting Saudi Arabia," June 2022; MITRE ATT&CK IDs: T1573.002, T1497.001, T1053.005, T1195.002).

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.