A fresh variant of the Satori botnet has sprung back to life, and this one is hacking into Claymore mining equipments and substituting the device owner`s mining credentials with the attacker`s own.
The attacks began on January 8, a Qihoo 360 Netlab security researcher has told Bleeping Pc. Analysis of the malware`s code suggests the same person behind the original Satori bot is behind this fresh wave spil well.
Geschreven history of the Satori botnet
The Satori botnet appeared ter early December 2018 and wasgoed a strenuously modified version of the infamous Mirai IoT DDoS malware.
Satori did not use brute-force attacks to pauze into devices using default and powerless credentials &mdash,like the original Mirai&mdash, but used exploit code to take overheen devices running with strong credentials, but using old firmware.
The botnet scanned for ports 52869 (CVE-2014-8361 vulnerability te Realtek SDK-based devices) and 37215 (CVE-2018-17215 zero-day te Huawei routers).
Using just thesis two exploits, Satori amassed inbetween 500,000 and 700,00 bots. Witnessing the instantaneous danger, Internet security groups reacted and took down Satori`s original C&,C servers around mid-December, two weeks after Satori appeared.
Netlab catches sight of Satori.Coin.Robber variant
Now, almost three weeks after the botnet went silent, Netlab researchers have spotted a fresh Satori variant.
",The infection speed is much slower,", Netlab researcher Li Fengpei told Bleeping Pc via email, ",so don&rsquo,t be scare.",
This fresh version keeps the old exploits, but also adds another one. The third exploit wasgoed a total verrassing for researchers because it did not target IoT and networking devices, like previous Satori payloads.
Instead, Satori scanned for port 3333 and deployed exploit code specific to Claymore cryptocurrency mining software.
Netlab did not publish details about the exploit code to avoid further manhandle, but said Satori targets a vulnerability affecting the management interface of Claymore mining software that permits attackers to interact with the device without needing to authenticate.
The attacker violates ter and switches Claymore mining configuration to one of his own that mines Ethereum.
He also leaves a message behind, te case the device possessor notices the break-in, claiming the modifications he made to the mining equipment are not malicious (Spoiler: They are!).
At the time of writing, the Satori dev emerges to have made 1.01000710 ETH (
$980) te the past ten days just by hijacking other people`s Claymore miners. Owners are advised to review mining configurations and make sure they`re running an updated version of the Claymore software.
Netlab published a report earlier today analyzing this fresh Satori variant, which they named Satori.Coin.Robber.
Other mining equipment security incidents
Ter September 2018, Bitdefender noticed a wave of attacks that used default credentials to take overheen Ethereum mining equipments running ethOS.
Ter August 2018, security accomplished Victor Gevers found overheen Three,000 Bitcoin mining equipments with Telnet ports exposed on the Internet and no passwords. Most devices were located ter China.
Ter April 2018, security researchers discovered a hidden backdoor ter the firmware of Bitmain`s Antminer mining equipments. The vulnerability wasgoed named Antbleed and Bitmain issued a firmware update to fix the problem.