Skip to main content

Sneaky crypto botnet tweaks your CPU to optimize mining performance

Cryptocurrency miners
(Image credit: Morrowind / Shutterstock)

Cybersecurity experts have discovered new malware that makes tweaks to its victim’s CPU to increase the machine's performance as a crypto miner

Identified by cloud security firm Uptycs, the malware attacks vulnerable Linux-based servers by exploiting known vulnerabilities in the popular web servers.

“The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use the MSR (Model Specific Register) driver to disable hardware prefetchers and increase the speed of the mining process by 15%,” revealed researchers in a blog post.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Hardware prefetching is a technique that enables processors to load data in the cache memory in order to speed up repetitive computations, and can be toggled with the MSR.

Performance penalty

According to the researchers, while disabling the hardware prefetcher increases cryptoming performance, it lowers performance of other legitimate applications running on the server. 

While the malware, first identified by Uptycs in June 2021, is similar to the strain discovered by Intezer last year, the new variants employ a bunch of new tricks. The researchers have already identified seven variants of the Goland-based wormed cryptominer, with subtle differences. 

Describing the attack chain of the cryptominer, the researchers say that the attack starts with a shell script, which first downloads the Golang worm. This worm then scans and exploits existing server based vulnerabilities, most notably, CVE-2020-14882 and CVE-2017-11610.

After breaking into a vulnerable server, the worm then writes multiple copies of itself to various sensitive directories like /boot, /efi, /grub, and then drops the Xmrig miner ELF in /tmp. The miner then disables the hardware prefetcher by using MSR, before getting to work.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.