“The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use the MSR (Model Specific Register) driver to disable hardware prefetchers and increase the speed of the mining process by 15%,” revealed researchers in a blog post.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- Protect your devices with these best antivirus software
- Here's our choice of the best malware removal software on the market
- These are the best ransomware protection tools
Hardware prefetching is a technique that enables processors to load data in the cache memory in order to speed up repetitive computations, and can be toggled with the MSR.
According to the researchers, while disabling the hardware prefetcher increases cryptoming performance, it lowers performance of other legitimate applications running on the server.
While the malware, first identified by Uptycs in June 2021, is similar to the strain discovered by Intezer last year, the new variants employ a bunch of new tricks. The researchers have already identified seven variants of the Goland-based wormed cryptominer, with subtle differences.
Describing the attack chain of the cryptominer, the researchers say that the attack starts with a shell script, which first downloads the Golang worm. This worm then scans and exploits existing server based vulnerabilities, most notably, CVE-2020-14882 and CVE-2017-11610.
After breaking into a vulnerable server, the worm then writes multiple copies of itself to various sensitive directories like /boot, /efi, /grub, and then drops the Xmrig miner ELF in /tmp. The miner then disables the hardware prefetcher by using MSR, before getting to work.
- These are the best endpoint protection tools