Satori botnet, the ethereum thief

A new version of the notorious Satori malware has recently started targeting ethereum mining.

The notorious malware strain, known as Satori, has already been targeting security cameras, internet routers, and a host of other IoT devices for some time. 

However, a new family member of the Satori malware has been discovered which affects ethereum mining rigs. In December 2017, Satori was still discovered to focus on exploiting bugs on routers from manufacturers such as D-Link and Huawei. The malware, which is thought to be based on the former infamous Mirai botnet, has already targeted thousands of personal devices after exploiting security flaws on Realtek and Huawei routers.

According to security researchers from Qihoo 260 Netlab, the latest Satori malware strain is searching the web for Windows-based devices which runs the Claymore mining program and subsequently attacks them. Considering the similarities between the latest malware strain, and that of the Satori family, researchers believe that the hackers behind Satori are responsible for the latest attack campaign. 

The botnet, known as Satori.Coin.Robber was discovered on January 8 and scans Ethereum mining rigs using management port 3333. But, a new ability added to this variant is the scanning of mining rigs. The botnet scanned for ports 52869 (CVE-2014-8361 vulnerability in Realtek SDK-based devices) and 37215 (CVE-2017-17215 zero-day in Huawei routers).

Once the malware has infiltrated and hijacked a device, they replace the miner’s wallet address with that of the hackers’. This means that all coins directed to the miner will instead be received by the hacker. So far, researchers have not yet confirmed how many devices have been affected by the malware. However, Dwarfpool confirms that the particular wallet address that is linked to the hackers so far only holds two coins, which currently equates to $2,160.

Satori.Coin.Robber operates by exploiting a feature on the Claymore software which enables a user to monitor mining remotely. However, this issue has already been addressed in the software provider’s update, version 10.2. According to the researchers, the hack abuses certain management actions on port 3333 which does not require password authentication.

Interestingly, a developer from the Satori team has contacted the Qihoo 360 Netlab researchers and stated that the particular bot had no malicious intent. However, users were still advised to make sure that their software is up to date to prevent any damages.