Cybersecurity (opens in new tab) experts have discovered new malware (opens in new tab) that makes tweaks to its victim’s CPU to increase the machine's performance as a crypto miner (opens in new tab).
“The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use the MSR (Model Specific Register) driver to disable hardware prefetchers and increase the speed of the mining process by 15%,” revealed researchers (opens in new tab) in a blog post.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- Protect your devices with these best antivirus (opens in new tab) software
- Here's our choice of the best malware removal (opens in new tab) software on the market
- These are the best ransomware protection tools (opens in new tab)
Hardware prefetching is a technique that enables processors to load data in the cache memory in order to speed up repetitive computations, and can be toggled with the MSR.
According to the researchers, while disabling the hardware prefetcher increases cryptoming performance, it lowers performance of other legitimate applications running on the server.
While the malware, first identified by Uptycs in June 2021, is similar to the strain discovered by Intezer last year (opens in new tab), the new variants employ a bunch of new tricks. The researchers have already identified seven variants of the Goland-based wormed cryptominer, with subtle differences.
Describing the attack chain of the cryptominer, the researchers say that the attack starts with a shell script, which first downloads the Golang worm. This worm then scans and exploits existing server based vulnerabilities, most notably, CVE-2020-14882 and CVE-2017-11610.
After breaking into a vulnerable server, the worm then writes multiple copies of itself to various sensitive directories like /boot, /efi, /grub, and then drops the Xmrig miner ELF in /tmp. The miner then disables the hardware prefetcher by using MSR, before getting to work.
- These are the best endpoint protection tools (opens in new tab)