HQ/EMEAFind out how we can help your business
Researchers recently discovered a new variant of the Sotdas malware that could provide its operators with several innovative features and advanced defence capabilities. The developers wrote the malware family of the new variant in C++, which had been operating for several years.
The main objective of the malware is to harvest data from infected systems and operate discreetly in the background to execute malicious activities. In addition, the malware adopts various techniques to accomplish its purpose.
The new Sotdas malware variant has substantial abilities that could threaten the cybersecurity community.
According to investigations, the Sotdas malware is persistent since it could generate startup entries and propagate itself in system directories. Moreover, the newly discovered malware could harvest system information, such as network interface data, CPU utilisation, and memory details.
Furthermore, it adopts advanced defence mechanisms, such as establishing a daemon process, using the /proc file system and utilising system V runlevel configuration. Sotdas could also employ DNS tunnelling for communicating with the attacker-controlled command-and-control system, adopting custom DNS query messages and payload writing within DNS records.
The malware variant leverages the harvested data after establishing persistence and collecting system information. It uses this information for optimising resource leveraging and starting cryptocurrency mining campaigns.
Sotdas would also try to maximise mining performance by utilising all available CPU resources while carefully avoiding security defences by leveraging the gathered CPU and memory details.
The malicious tool then continuously monitors the system’s CPU utilisation to maintain its persistence and adjust resource usage as necessary once the cryptomining operation commences.
Furthermore, the malware constantly verifies the system’s memory usage to ensure sufficient memory for unobstructed mining attacks. This sophisticated monitoring and resource management could allow the malware to sustain its cryptomining activities while minimising the detection chances.
Cryptomining attacks have surged recently. The APT group, DangerousPassword, has also targeted crypto exchanges in Japan via various malware delivery techniques, including utilising OneNote files and LinkedIn.
The appearance of the new Sotdas malware variant implies that threat actors are constantly developing new tools to execute more attacks. Organisations should adopt layered security defences to mitigate the damages of these advanced evasion techniques and the persistence of new malware strains.
