Cybersecurity experts have discovered new malware that makes tweaks to its victim’s CPU to increase the machine's performance as a crypto miner.
Identified by cloud security firm Uptycs, the malware attacks vulnerable Linux-based servers by exploiting known vulnerabilities in the popular web servers.
“The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use the MSR (Model Specific Register) driver to disable hardware prefetchers and increase the speed of the mining process by 15%,” revealed researchers in a blog post.
- Protect your devices with these best antivirus software
- Here's our choice of the best malware removal software on the market
- These are the best ransomware protection tools
Hardware prefetching is a technique that enables processors to load data in the cache memory in order to speed up repetitive computations, and can be toggled with the MSR.
Performance penalty
According to the researchers, while disabling the hardware prefetcher increases cryptoming performance, it lowers performance of other legitimate applications running on the server.
While the malware, first identified by Uptycs in June 2021, is similar to the strain discovered by Intezer last year, the new variants employ a bunch of new tricks. The researchers have already identified seven variants of the Goland-based wormed cryptominer, with subtle differences.
Describing the attack chain of the cryptominer, the researchers say that the attack starts with a shell script, which first downloads the Golang worm. This worm then scans and exploits existing server based vulnerabilities, most notably, CVE-2020-14882 and CVE-2017-11610.
After breaking into a vulnerable server, the worm then writes multiple copies of itself to various sensitive directories like /boot, /efi, /grub, and then drops the Xmrig miner ELF in /tmp. The miner then disables the hardware prefetcher by using MSR, before getting to work.
- These are the best endpoint protection tools
