May 14, 2022

The “Golang” Variant: This Is How Monero-mining Malware Works On Linux Web Servers

The new version of a virus or malware You can get 15% more performance than the capacity of the computers it infects; exactly, web servers based on the Linux operating system or software, to mine the monero cryptocurrency (XMR).

Linux based servers are used by companies like Google, IBM, Dell, Oracle y Amazon. The latter has a service widely used on the Internet: Amazon Web Services, which could be dangerous since the virus has the ability to spread between servers on the network.

However, no incidents have been reported with these companies, except for Oracle WebLogic, due a known vulnerability, say researchers.

The Uptycs firm published a report where he explains how a malware worm type, when it infects a Linux-based network server, can disable predictive memory and performance features of hardware or CPU, specifically the hardware prefetching.

The hardware prefetching It consists of a series of processes that allow the software to predict the way in which it will manage memory and overall performance, before the operations that will be executed later, and cache these instructions, to transmit them to main memory when the time comes.

Part of the malicious code detected in the Uptycs investigation. The virus introduces a registry modification driver or MSR, which in turn allows it to stop or enable processes related to the infected hardware. Source: Uptycs

Having obtained the necessary space and capacity, the worm can download, install and deploy a software known as XMRig, which is open source and widely used by the monero miners (XMR) community around the world.

In this case, the attacker would maliciously apply this mining software, taking advantage of the victim to obtain XMR fraudulently, in addition to potentially infecting other computers.

The researchers note that the first version of this virus had been detected in December 2020, and it was also intended to mine XMR. However, he did not have the ability to disable the hardware prefetching, allowing you to get better performance from mining.

The Go (Golang) language-based worm, which attacks vulnerable Linux-based or similar servers [*nix o UNIX ], exploits known vulnerabilities among popular web servers, seeking to spread itself and also include the miner.

The new variant of the worm was identified in June 2021 by our threat intelligence system. Although some functions were similar to those discussed by the firm Intezer last year, the new variants of this malware have a lot of capabilities up their sleeve.


The firm argues that while XMRig mining software is not malicious, it includes a recommendation in its Open Source for users to get better performance from mining, optimizing performance of the RandomX algorithm, with which the Monero network works.

Web servers aren’t new to XMR-mining malware

Uptycs concluded the investigation by noting that the malwares Miners remain a latent and constant threat in the ecosystem. They also warn that drivers used by the virus can leave permanent damage to the functioning of the servers of entities and companies that are part of important networks in the corporate world.

Although Amazon has not been affected by this particular virus, as far as information is available, in August 2020 it was affected by a malicious XMR miner, CriptoNoticias reported.

Web servers can be attractive for different types of malware not only because of the enormous memory and processing capacity they have, but also because of the connectivity they enjoy, which facilitates the infection of malware on other computers and servers over networks (web).

We want to give thanks to the author of this post for this remarkable web content

The “Golang” Variant: This Is How Monero-mining Malware Works On Linux Web Servers