The infamous Satori botnet has once again been caught in the wild, this time targeting rigs mining for the Ethereum cryptocurrency. Researchers dubbed this latest iteration Satori.Coin.Robber.
Satori is a botnet that exploits a flaw in Huawei and a bug in Realtek SDK-based devices. These vulnerabilities have been exploited to attack and infect computers. The botnet itself was written on top of the devastating Mirai IoT botnet. Satori’s operators exploited just these two vulnerabilities to successfully target hundreds of devices, researchers reported.
Satori Operators Switch to Ethereum Cryptocurrency Theft in Satori.Coin.Robber Operation
Even though security researchers were quick to respond to the attacks and halted the command and control server in December, 2017, it’s very likely that the same operators are behind the latest Satori attacks. Threat actors just shifted towards what’s trendiest at the moment – cryptocurrency.
“Starting from 2018-01-08 10:42:06 GMT+8, we noticed that one Satori’s successor variant (we name it Satori.Coin.Robber) started to reestablish the entire botnet on ports 37215 and 52869,” said Netlab researchers who discovered the new attacks.
These new attacks are quite unique in their nature. The new Satori variant hacks into various mining hosts on the internet through their management port 3333 that runs the Claymore Miner software. The malware then replaces the wallet address on the hosts with its own wallet address. The compromised devices are mostly running Windows.
Researchers are saying that Satori.Coin.Rober is currently mining actively. The malware also has an average calculation power of 1606 MH/s for the last couple of days. The account of the cybercriminals has accumulated 0.1733 Ethereum in a day.
Curiously enough, the author of the botnet has left his email address, visible in the following note:
Satori dev here, dont be alarmed about this bot it does not currently have any malicious packeting purposes move along. I can be contacted at firstname.lastname@example.org
As for the mining part – when a mining rig is exploited, the Satori.Coin.Robber botnet releases three payloads. The first payload is in the form of a package that collects information about the mining state of the rig. The second payload replaces the wallet addresses by updating the reboot.bat file. The last payload reboots the host device with the new address which leads to the theft of the Ethereum mined by the victim.
For more information, read the whole report.