Sotdas: Cryptomining malware with optimized resource utilization

Sotdas is a type of malware that is designed to steal personal information from Android devices. It can be installed on a device in a number of ways, including by opening a corrupted attachment, clicking on a malicious link, or downloading a false program from an unreliable source.

The Sotdas malware has been a significant threat to cybersecurity since 2020 because of its powerful capabilities. It exhibits persistence by making startup entries and duplicating itself in system folders. Sotdas has the ability to gather a variety of system data, such as CPU and memory usage, network interface data, and CPU details.

To evade detection, Sotdas employs advanced defense evasion techniques, which includes establishing a daemon process, utilizing the proc file system, and leveraging system run level configuration. These techniques make it difficult for security systems to successfully to detect and remove the malware effectively.

Sotdas malware makes use of its persistence and the system data it gathers to maximize resource usage and conduct cryptomining operations. By effectively exploiting all available CPU resources while avoiding detection, it seeks to enhance mining performance. The malware continuously tracks CPU usage during the cryptomining process to maintain covert activity and dynamically modifies resource usage as required.

In order to communicate with its command and control (C&C) server, Sotdas also uses DNS tunneling. It uses customized DNS query messages and payload encoding within DNS records to conceal its malicious actions and keep up a covert connection with the C&C server.

Targets of Sotdas malware have been identified in the government, healthcare, manufacturing, and financial industries. Systems in nations all around the world, including the United States, Europe, and Asia, have also been targeted by the malware.