The new version of a virus or malware can obtain 15% more performance than the capacity of the computers it infects; exactly, web servers based on the Linux operating system or software, to mine the monero cryptocurrency (XMR).
Linux based servers are used by companies like Google, IBM, Dell, Oracle and Amazon. The latter has a service widely used on the Internet: Amazon Web Services, which could be dangerous since the virus has the ability to spread between servers on the network.
However, no incidents have been reported regarding these companies, except for Oracle WebLogicdue to a known vulnerability, researchers say.
The Uptycs firm published a report explaining how a worm-type malware, when it infects a Linux-based network server, can disable memory and performance predictive functions of hardware or CPU, specifically hardware prefetching.
Hardware prefetching consists of a series of processes that allow the software to predict how it will manage memory and overall performance, to operations that will be executed later, and cache these instructions, to transmit them to main memory when the time comes.
Part of the malicious code detected in the Uptycs investigation. The virus introduces a registry modification driver or MSR, which in turn allows it to stop or enable processes related to the infected hardware. Source: Uptycs
Having obtained the necessary space and capacity, the worm can download, install and deploy a software known as XMRig, which is open source and widely used by the monero miners (XMR) community around the world.
In this case, the attacker would maliciously apply this mining software, taking advantage of the victim to obtain XMR fraudulently, in addition to potentially infecting other computers.
The researchers note that the first version of this virus had been detected in December 2020, and it was also intended to mine XMR. However, it did not have the ability to disable hardware prefetching, allowing you to get better performance from mining.
The Go (Golang) language-based worm, which attacks vulnerable Linux-based or similar servers [*nix o UNIX ], exploits known vulnerabilities among popular web servers, seeking to spread itself and also include the miner.
The new variant of the worm was identified in June 2021 by our threat intelligence system. Although some functions were similar to those discussed by the firm Intezer last year, the new variants of this malware have a lot of capabilities up their sleeve.
Uptycs.
The firm argues that although the XMRing mining software is not malicious, it includes a recommendation in its open source for users to get better performance from mining, optimizing the performance of the RandomX algorithm, with which the Monero network works.
Web servers aren’t new to XMR-mining malware
Uptyc concluded the investigation by noting that mining malware remains a latent and constant threat in the ecosystem. They also warn that the drivers used by the virus can leave permanent damage to the functioning of the servers of entities and companies that are part of important networks in the corporate world.
Although Amazon has not been affected by this particular virus, as far as information is available, in August 2020 they were affected by a malicious XMR miner, CriptoNoticias reported.
Web servers can be attractive to different types of malware not only because of the enormous memory and processing capacity they have, but also because of the connectivity they enjoy, which facilitates the infection of malware on other computers and servers through networks ( Web).