article featured image


The new Golang version wreaks havoc in the world of crypto mining worms. The fresh variant of the Golang crypto worm is constructed on XMRig. Its goal is to target certain machines and exploit web vulnerabilities by further deploying Monero-mining malware. What’s more is that the mining process becomes more efficient as a result of this, being accelerated by 15% by the payload binaries.

New Golang Version Based on XMRig: What Is XMRig?

XMRig is a term related to cryptocurrency. It is basically a miner that mines the Monero cryptocurrency via a compromised computer. The goal is to make lots of money. What can it do to a computer? Well, it can severely affect its capabilities, making it overheat or maybe not run properly, because it uses supplementary resources.

How Does the New Golang Version Work?

Uptycs researchers have released a report where they detail how the new Golang version works and what are its targets.

The new Golang version follows the below steps:

  • It takes advantage of 2 existing vulnerabilities: CVE-2017-11610 and CVE-2020-14882.
  • CVE-2017-11610 is a vulnerability that allows remote code execution and can be found in the XML-RPC Server.
  • CVE-2020-14882 stands for a path-traversal bug that exploits Web Logic servers.
  • Both above-mentioned vulnerabilities can be encountered in web servers that are Unix and Linux-based ones.
  • How is CVE-2020-14882 abused? Well, threat actors try to skip the authentication procedure. How? They change the URL by engaging in a path traversal creation. Then double encoding on /console/images is performed.
  • We are at the point when vulnerabilities have been exploited. The next step is to download the worm embedded with curl utility by making use of a shell script (ldr.sh).
  • What’s more is that the utilized script functions via evasion tactics: it can compromise firewalls or it can turn off monitoring agents.
  • Then, in the initial stage, the worm is UPX compressed and written in Golang.
  • How is XMRig cryptominer inserted? Through a go-bindata package.

According to Cyware, the XMRig that was changed targets hardware. Threat actors used XMRig based adjusted binaries. What can the changed miner do is that it has the capabilities to disable the hardware prefetcher. This is how the increase of 15% in speed is accomplished.

Xmrig miners use the RandomX algorithm which generates multiple unique programs that are generated by data selected from the dataset generated from the hash of a key block. The code to be run inside the VM is generated randomly and the resultant hash of its outcome is used as proof of work.


Cryptocurrency cyberattacks have actually increased recently. Let’s look at Poly Network who has recently lost the fabulous sum of $611 million in a grand cryptocurrency cyberattack. The matter of crypto hacking is supported also by the statistics released by FTC in May, where losses of $80 Million were reported.

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *