ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
The Satori botnet has raised its head once again with an unusual target — rigs which mine the cryptocurrency Ethereum (ETH).
Satori, a botnet which exploits a Huawei vulnerability and bug in Realtek SDK-based devices to enslave PCs, was originally based on the notorious Mirai IoT botnet.
Security teams rapidly responded to the threat and sinkholed the C&C server in December last year, but it is possible this new variant is the creation of the same threat actor, due to similarities in code and scanning capabilities.
In a report published on Wednesday, Qihoo 360 Netlab researchers said that a variant of Satori has been spotted in the wild which specializes in targeting vulnerable ETH mining rigs.
The latest variant, dubbed Satori.Coin.Robber, was first spotted on 8 January and hosts the same exploits. However, a new capability added to this creation is the scanning of mining hosts — usually based on Microsoft Windows operating systems — through management port 3333.
The botnet searches for Claymore Miner software and “replaces the wallet address on the hosts with its own wallet address,” according to the team.
Based on the payout pool connected to the botnet, the Satori variant is active and has a hashrate of 1309.06 MH/S.
The account has secured 0.9566 ETH ($837) in the past two days and has already paid out 1.010007 in ETH ($884).
“It [the botnet] works primarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password authentication enabled (which is the default config),” the team says. ” In order to prevent potential abuse, we will not discuss [in] too much detail.”
When a mining rig has been successfully exploited, Satori.Coin.Robber issues three payloads. The first is a package which gathers the mining state of the rig, another replaces the mining pool’s wallet address by updating the reboot.bat file, and a third which reboots the host with the new address, leading to the theft of any ETH the victim mines.
In an interesting turn of events, an individual who has claimed responsibility for Coin Robber contacted Netlab, saying, “Satori dev here, don’t be alarmed about this bot it does not currently have any malicious packeting purposes move along.”
Whether or not this is to be believed is up for debate.
Over the Christmas season, an unknown threat actor released the working code for the router exploit used by the Satori botnet. Researchers predicted the release of the code for free online would result in copy-paste botnets, and this prophesy seems to have come to pass.
Users of the Claymore mining software should make sure they are using the latest version of the software to keep their mined cryptocurrency safe.
Update 14.45GMT: Updated for additional clarity. ZDNet has reached out to Netlab with additional questions and will update if we hear back.
Previous and related coverage
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.