Satori botnet successor targets Ethereum mining rigs

Updated: A variant of the botnet targets rigs to covertly replace their wallet addresses.
Written by Charlie Osborne, Contributing Writer

The Satori botnet has raised its head once again with an unusual target -- rigs which mine the cryptocurrency Ethereum (ETH).

Satori, a botnet which exploits a Huawei vulnerability and bug in Realtek SDK-based devices to enslave PCs, was originally based on the notorious Mirai IoT botnet.

While Mirai secured millions of IoT devices by exploiting the use of default credentials, Satori was able to amass hundreds of thousands of devices purely through these two exploits.

Security teams rapidly responded to the threat and sinkholed the C&C server in December last year, but it is possible this new variant is the creation of the same threat actor, due to similarities in code and scanning capabilities.

In a report published on Wednesday, Qihoo 360 Netlab researchers said that a variant of Satori has been spotted in the wild which specializes in targeting vulnerable ETH mining rigs.

The latest variant, dubbed Satori.Coin.Robber, was first spotted on 8 January and hosts the same exploits. However, a new capability added to this creation is the scanning of mining hosts -- usually based on Microsoft Windows operating systems -- through management port 3333.

The botnet searches for Claymore Miner software and "replaces the wallet address on the hosts with its own wallet address," according to the team.

Based on the payout pool connected to the botnet, the Satori variant is active and has a hashrate of 1309.06 MH/S.

The account has secured 0.9566 ETH ($837) in the past two days and has already paid out 1.010007 in ETH ($884).

"It [the botnet] works primarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password authentication enabled (which is the default config)," the team says. " In order to prevent potential abuse, we will not discuss [in] too much detail."

When a mining rig has been successfully exploited, Satori.Coin.Robber issues three payloads. The first is a package which gathers the mining state of the rig, another replaces the mining pool's wallet address by updating the reboot.bat file, and a third which reboots the host with the new address, leading to the theft of any ETH the victim mines.

In an interesting turn of events, an individual who has claimed responsibility for Coin Robber contacted Netlab, saying, "Satori dev here, don't be alarmed about this bot it does not currently have any malicious packeting purposes move along."

Whether or not this is to be believed is up for debate.

See also: Shodan: The IoT search engine for watching sleeping kids and bedroom antics

Over the Christmas season, an unknown threat actor released the working code for the router exploit used by the Satori botnet. Researchers predicted the release of the code for free online would result in copy-paste botnets, and this prophesy seems to have come to pass.

Users of the Claymore mining software should make sure they are using the latest version of the software to keep their mined cryptocurrency safe.

Update 14.45GMT: Updated for additional clarity. ZDNet has reached out to Netlab with additional questions and will update if we hear back.

Internet of Things gadgets to make your home smarter

Previous and related coverage

Editorial standards