A new variant of the Satori botnet has raised again with a new target, and this one is hacking into Claymore mining rigs (which mine the cryptocurrency Ethereum (ETH)) and replacing the machine owner’s mining wallet address with the attacker’s wallet.
Satori is a botnet which uses a Huawei vulnerability and security issue in Realtek SDK-based devices to take over devices that are using old firmware.
Qihoo 360 Netlab security researchers said that “Satori.Coin.Robber” was first detected on 8 January and hosts the same exploits of Mirai botnet. But, a new ability added to this variant is the scanning of mining rigs. The botnet scanned for ports 52869 (CVE-2014-8361 vulnerability in Realtek SDK-based devices) and 37215 (CVE-2017-17215 zero-day in Huawei routers).
According to researchers:
What really stands out is something we had never seen before, this new variant actually hacks into various mining hosts on the internet (mostly windows devices) via their management port 3333 that runs Claymore Miner software, and replaces the wallet address on the hosts with its own wallet address.
Based on the payout pool connected to the botnet, Satori botnet controls an average calculation power of 1106 MH/s. The botnet has already got the first ETH coin paid at 14:00 on January 11, 2017, with another 0.96 coin in the balance.
Users are recommended to check mining configurations and make sure they are using the latest version of the Claymore miner.