The latest versions of the Monero mining malware exploit web server bugs and do this with efficiency in the mining process.
A variant of the Golang crypto-worm has been discovered that can speed up the mining of Monero by 15 percent, researchers say. The attacks were spotted by researchers from Uptycs, a cybersecurity company. Since June, Uptycs has identified seven samples of the Golang crypto-worm.
The worm scans for and exploits known weaknesses in Unix and Linux-based web servers. Some of these include CVE-2020-14882 in the Oracle WebLogic Server and CVE-2017-11610 in the XML-RPC servers by WordPress.
“CVE-2020-14882 [is a] classic path-traversal vulnerability used for exploiting vulnerable web logic servers,” according to Uptycs. “It seemed like the attacker tried to bypass the authorization mechanism by changing the URL and performing a path traversal using double encoding on /console/images.”
While, the exploit for CVE-2017-11610 contains an encoded payload in the parameters, researchers said.
The attack begins with a shell script that downloads a Golang worm. It uses various defensive techniques like firewall altering and disabling monitoring agents to evade detection.
This package ultimately installs the XMRig into a temporary directory and uses a base64 encoded command to download the shell script to other remote servers.
XMRig is a well-known cryptominer for the Monero. In the latest campaign, attackers use modified binaries of XMRig to improve mining efficiency by 15%.
The performance boost is a major improvement for XMRig. It does so by using MSR registers to control the PC processor’s features. The malware can disable hardware prefetchers by using the Model Specific Register (MSR) driver which is usually used for debugging purposes in Unix and Linux servers.
“Hardware prefetcher is a technique in which the processors prefetch data based on the past access behavior by the core,” Uptycs researchers explained in their report. “The processor (or the CPU), by using hardware prefetcher, stores instructions from the main memory into the L2 cache. However, on multicore processors, the use of aggressive hardware prefetching causes hampering and results in overall degradation of system performance.”
According to XMRig documentation, disabling hardware prefetchers can increase the mining speed by up to 15 percent.
However, this function presents an enhanced risk to businesses, researchers warned: “Alongside the mining process, modification of the MSR registers can lead to fatal performance issues of the corporate resources.”