The malware registers itself as a background service, sets up recurring scheduled tasks, and evades detection by concealing its processes from standard monitoring tools. Its adaptive logic, including proxy-checking routines, an intelligent selection among 18 cryptocurrency miners, and fallback behaviors, is likely a borrowed AI function, Morag noted in the blog.
Aqua recommended monitoring unauthorized bash modifications, unexpected DNS rewrites, and using runtime protection telemetry to spot anomalous shell behavior. Additionally, blocking execution of polyglot file payloads and hidden rootkits (with drift prevention) was advised. The blog shared a few indicators of compromise (IOCs), including IP addresses, URLs, and filenames used in the attacks.
