Updated: A variant of the botnet targets equipments to covertly substitute their wallet addresses.
By Charlie Osborne for Zero Day | January 17, 2018 — 12:28 GMT (04:28 PST) | Topic: Security
The Satori botnet has raised its head once again with an unusual target — equipments which mine the cryptocurrency Ethereum (ETH).
More security news
Satori, a botnet which exploits a Huawei vulnerability and bug ter Realtek SDK-based devices to enslave PCs, wasgoed originally based on the legendary Mirai IoT botnet.
While Mirai secured millions of IoT devices by exploiting the use of default credentials, Satori wasgoed able to amass hundreds of thousands of devices purely through thesis two exploits.
Security teams rapidly responded to the threat and sinkholed the C&,C server te December last year, but it is possible this fresh variant is the creation of the same threat actor, due to similarities ter code and scanning capabilities.
Te a report published on Wednesday, Qihoo 360 Netlab researchers said that a variant of Satori has bot spotted te the wild which specializes te targeting vulnerable ETH mining equipments.
The latest variant, dubbed Satori.Coin.Robber, wasgoed very first spotted on 8 January and hosts the same exploits. However, a fresh capability added to this creation is the scanning of mining hosts — usually based on Microsoft Windows operating systems — through management port 3333.
The botnet searches for Claymore Miner software and “substitutes the wallet address on the hosts with its own wallet address,” according to the team.
Based on the payout pool connected to the botnet, the Satori variant is active and has a hashrate of 1309.06 MH/S.
The account has secured 0.9566 ETH ($837) te the past two days and has already paid out 1.010007 ter ETH ($884).
“It [the botnet] works primarily on the Claymore Mining equipment that permits management deeds on 3333 ports with no password authentication enabled (which is the default config),” the team says. ” Te order to prevent potential manhandle, wij will not discuss [ter] too much detail.”
When a mining equipment has bot successfully exploited, Satori.Coin.Robber issues three payloads. The very first is a package which gathers the mining state of the equipment, another substitutes the mining pool’s wallet address by updating the reboot.bat verkeersopstopping, and a third which reboots the host with the fresh address, leading to the theft of any ETH the victim mines.
Ter an interesting turn of events, an individual who has claimed responsibility for Coin Robber contacted Netlab, telling, “Satori dev here, don’t be alarmed about this bot it does not presently have any malicious packeting purposes budge along.”
Whether or not this is to be believed is up for debate.
Overheen the Christmas season, an unknown threat actor released the working code for the router exploit used by the Satori botnet. Researchers predicted the release of the code for free online would result te copy-paste botnets, and this prophesy seems to have come to pass.
Users of the Claymore mining software should make sure they are using the latest version of the software to keep their mined cryptocurrency safe.
Update 14.45GMT: Updated for extra clarity. ZDNet has reached out to Netlab with extra questions and will update if wij hear back.