19 Jan New Satori botnet variant now targets cryptocurrency mining rigs, replaces wallet addresses
Satori, the infamous successor of the notorious Mirai botnet used to hijack hundreds of thousands of IoT devices worldwide, is now hopping onto the cryptocurrency bandwagon. A new variant of Satori, which means “awakening” in Japanese, has been found targeting computers dedicated to mining cryptocurrency.
According to researchers from China-based Qihoo Netlab 360, the Satori variant – dubbed Satori.Coin.Robber – is designed to target vulnerable rigs that runs the Claymore Miner software to mine Ethereum and replace the wallet address of the host with the hackers’ own address.
First spotted on 8 January, the botnet has been scanning for Windows systems that run Claymore and hacks into the mining rig via their management port 3333.
The most recent pay record connected to the botnet shows the Satori variant is still actively mining and has a hashrate of 2162.77 MH/s. The account has already cashed out a little more than 2 Etherium coins (currently worth $2,028, £1,467), with another 0.066 in ETH left in the balance.
Satori.Coin.Robber works “primarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password authentication enabled (which is the default config)”, researchers said. “In order to prevent potential abuse, we will not discuss too much details.”
Upon analysing the malicious code, researchers found similarities between Satori.Coin.Robber and the original Satori, including similar code structures, the same UPX packing magic numbers, encrypted configurations and similar configuration strings, and the same payload.
However, the new variant also comes with another payload to target Claymore Miner on port 3333, features an asynchronous network connection (NIO) method and enables a new set of C2 communication protocols.
It is not clear how the new Satori is infecting these cryptomining rigs.
Once the rig is exploited, Satori.Coin.Robber issues three payloads that gather the mining state of the computer, replaces the mining pool’s wallet address and then reboots the host with the new address, allowing any mined Ethereum to be directed towards the hackers.
Researchers noted that the author behind Satori.Coin.Robber claims the code is not malicious and has even left an email address behind.
“Satori dev here, dont be alarmed about this bot,” the message reads. “It does not have any malicious packeting purposes, move along.”
The Satori variant comes less than a month after hackers posted the working code for a Huawei router exploit, which was used by the Satori botnet, for free on PasteBin during the holiday season in December.
Researchers at NewSky Security who spotted the code warned at the time, “When an IoT exploit becomes freely available, it hardly takes much time for threat actors to up their arsenal and implement the exploit as one of the attack vectors in their botnet code.”