Uptycs Threat Research Team has discovered malware that not only hijacks vulnerable *nix-based servers and uses them to mine cryptocurrency but actually modifies their CPU configurations in a bid to increase mining performance at the cost of performance in other applications.

Perpetrators use a Golang-based worm to exploit known vulnerabilities like CVE-2020-14882 (Oracle WebLogic) and CVE-2017-11610 (Supervisord) to gain access to Linux systems. Once they hijack a machine, they use model-specific registers (MSR) to disable the hardware prefetcher, a unit that fetches data and instructions from the memory into the L2 cache before they are needed.

Prefetching has been used for years and can boost performance in various tasks. Disabling it can increase mining performance in XMRig, the mining software the perpetrators use, by 15%.

Disabling the hardware prefetcher lowers performance in legitimate applications. In turn, server operators either have to buy additional machines to meet their performance requirements or increase power limits for existing hardware. In either case, they increase power consumption and spend additional money.

The botnet has been reportedly used since at least December 2020 and targeted vulnerabilities in MySQL, Tomcat, Oracle WebLogic, and Jenkins, which indicates that it is flexible enough to attack various programs. It is unclear how widespread these attacks are, but it looks like they are common enough for security researchers to study them.