A new variant of the Golang crypto-worm was found dropping Monero-mining malware on targeted machines. The crypto-worm is based on XMRig and it abuses known web server vulnerabilities. Moreover, the payload binaries have the ability to speed up the mining process by 15%.
What's new?
Researchers from Uptycs have revealed that the worm scans for known vulnerabilities in Unix and Linux-based web servers, such as Oracle WebLogic Server or XML-RPC Server.
CVE-2017-11610 is a remote execution flaw used to abuse XML-RPC, while CVE-2020-14882 is a path-traversal vulnerability used for abusing exposed Web Logic servers.
It looks like the attackers are attempting to bypass the authorization mechanism by modifying the URL and performing a path traversal (by exploiting CVE-2020-14882) with double encoding on /console/images.
After exploiting the vulnerabilities, the attack uses a shell script (ldr.sh) that downloads the worm with curl utility. Additionally, the script uses evasion methods such as disabling monitoring agents or altering firewalls.
The first-stage worm is compiled in Golang and packed with UPX. The worm utilizes a go-bindata package to insert off-the-shelf XMRig cryptominer.
After installation, the worm downloads an extra shell script to download a copy of the same worm. Subsequently, it installs XMRig into /tmp location and downloads a shell script on other exposed servers.
Modified XMRig targeting hardware for optimization
In this campaign, modified binaries of XMRig were used. The modified miner running with root privileges can disable the hardware prefetcher (processors prefetch data on basis of past access behavior of core) to boost the miner performance up to 15%.
XMRig miners use the RandomX algorithm to produce various unique programs, which are created by data selected from the dataset produced from the hash of a key block.
Memory intensive RandomX programs are executed within a VM. Therefore, the miner disables the hardware prefetcher by abusing the Model Specific Register (MSR), boosting its performance.
Conclusion
The new variant of Golang crypto-worm shows an ongoing trend of increase in cryptomining attacks. Such wormed crypto miners can propagate faster on infected networks of victim organizations. Moreover, the modification of the MSR registers can largely affect the performance of targeted resources.