Researchers at Qualys have recently discovered a new variant of the Sotdas malware that introduces several innovative features and advanced defense evasion techniques. This malware family, written in C++, has been actively operating for many years.
The primary purpose of this malware is to collect information from compromised systems, operate covertly in the background, and execute malicious activities. To accomplish these objectives, the malware employs various techniques that we will be delving into in this article.
Let’s talk about its capabilities
The Sotdas malware possesses significant capabilities that pose a notable threat in the cyber landscape.
- It exhibits persistence by creating startup entries and duplicating itself in system directories.
- Sotdas gathers system information, including CPU and memory details, network interface information, and CPU utilization.
- It employs advanced defense evasion techniques such as establishing a daemon process, utilizing the /proc file system, and leveraging system V runlevel configuration.
- Additionally, Sotdas utilizes DNS tunneling for communication with its C&C server, employing custom DNS query messages and payload encoding within DNS records.
Why this matters
- After achieving persistence and collecting system information, Sotdas leverages this data for optimizing resource utilization and initiating cryptomining operations.
- By utilizing the gathered CPU and memory details, the malware aims to maximize mining performance by utilizing all available CPU resources while carefully evading detection.
- Once the cryptomining operation is underway, the malware continuously monitors the system's CPU utilization to maintain covert activity and dynamically adjust resource usage as necessary.
- It periodically verifies the system's memory usage to ensure sufficient available memory for uninterrupted mining operations.
- This strategic monitoring and resource management allow the malware to sustain its cryptomining activities while minimizing the chances of being detected.
More cryptomining threats
- Recently, the DangerousPassword APT group was spotted targeting cryptocurrency exchanges in Japan through various malware delivery techniques, including the use of LinkedIn and OneNote files.
- In late April, the 8220 Gang attack group exploited the Log4Shell vulnerability to install CoinMiner in vulnerable VMware Horizon servers belonging to Korean energy-related companies.
The bottom line
The discovery of the new variant of the Sotdas malware highlights the significant threat it poses in the cybersecurity landscape. Its advanced defense evasion techniques and persistence capabilities make it a formidable adversary.
Mitigating such threats requires a multi-layered approach, including regular system and software updates, strong network security measures, and user awareness to prevent malware delivery through social engineering techniques. The rise of other cryptomining threats underscores the ongoing need for robust security measures in protecting against these evolving threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/11d4_shutterstock_2035961720.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/8705_shutterstock_1341253400.jpg)
