Uptycs threat research team has Find Malware will not only hijack vulnerable *nix-based servers and use them to mine cryptocurrency, but also modify their CPU configuration to improve mining performance at the expense of other applications.
Criminals use Golang-based worms to exploit known vulnerabilities, such as CVE-2020-14882 (Oracle WebLogic) and CVE-2017-11610 (Supervisord) Access to Linux system, report record. Once they hijack a machine, they use Model-specific registers (MSR) To disable the hardware prefetcher, the unit fetches data and instructions from memory to the L2 cache before it is needed.
Prefetching has been used for many years and can improve the performance of various tasks. However, disabling it can increase the mining performance of the mining software XMRig used by criminals by 15%.
But disabling the hardware prefetcher will reduce the performance of legitimate applications. In turn, server operators must either purchase additional machines to meet their performance requirements or increase the power limits of existing hardware. In either case, they will increase power consumption and cost extra money.
According to reports, the botnet has been in use since at least December 2020 and targeted vulnerabilities in MySQL, techycat, Oracle WebLogic, and Jenkins, indicating that it has sufficient flexibility to attack various programs. It is not clear how common these attacks are, but it seems they are common and security researchers can study them.