Satori botnet

A so-called "script kiddie" is behind the recently discovered Satori botnet that has scared security researchers because of its rapid rise to a size of hundreds of thousands of compromised devices.

Researchers say that a hacker named Nexus Zeta created Satori, which is a variant of the Mirai IoT malware that was released online in October 2016.

Satori botnet used Huawei zero-day

Satori, which is also tracked under the name of Mirai Okiru, came to life around November 23, when the malware started spreading on the Internet.

Satori was extremely virulent, infecting many devices from the get-go. Unlike previous Mirai versions, it did not rely on active Telnet-based brute-force attacks but used exploits instead.

More precisely, it scanned port 52869 and used CVE-2014-8361 (UPnP exploit affecting Realtek, D-Link, and other devices), and it scanned port 37215 and used an unknown (at the time) exploit.

It was later discovered that this last exploit was actually a zero-day (CVE-2017-17215) that affected Huawei HG532 routers. Huawei issued updates and a security alert a week after the attacks started, after being notified by Check Point researchers.

Bleeping Computer reported about Satori on December 5, when the botnet started popping up on the honeypots of various security researchers and cyber-security firms. At the time, the botnet counted over 280,000 bots, with the vast majority located in Argentina.

Since then, the botnet started heavily infecting devices at Internet service providers located in Egypt, Turkey, Ukraine, Venezuela, and Peru.

Satori botnet C&C servers taken down

Over the past weekend, representatives from numerous ISPs and cyber-security firms intervened and took down the main Satori botnet C&C servers, according to industry insiders who spoke with Bleeping Computer. At the time it was taken down, the botnet counted between 500,000 and 700,000 bots, according to rough estimations.

Immediately after the takedown, scan activity on ports 52869 and 37215 saw a huge spike, according to insight provided to Bleeping Computer by Netlab researchers. The most likely scenario is that Nexus Zeta is looking to scan and find bots for another Satori instance.

Satori port scans after takedown

Script kiddie behind Satori

In a report published yesterday, Check Point researchers revealed the identity of the Satori botnet author —the aforementioned Nexus Zeta.

Researchers say they've tracked him down because he registered domains used in the Satori infrastructure with an email address that was also used for a HackForums account —infamous meeting place for wannabe hackers.

"Although he is rarely active in such forums, the few posts he does make disclose an [sic] less professional actor," Check Point says.

A forum post made on November 22, a day before Satori activity started to be detected, show Nexus Zeta asking for help in setting up a Mirai botnet (Satori is a Mirai variant).

Nexus Zeta HackForums post

hello, im looking for someone to help me compile the mirai botnet, i heard all you have to do is compile it and you have access to 1 terabit per second so please help me setup a mirai tel-net botnet

Two questions remain for the time being. The first is "Will Satori make a comeback?" and the second is "Did Nexus Beta discover the complex Huawei zero-day on his own, or did he buy it from somewhere else?."

Based on information Bleeping Computer obtained, Satori was not identified as the source of any major DDoS attack in the past few weeks.

The Satori (Mirai Okiru) botnet should not be confused with another Mirai botnet that came to life last month, which is based on the Mirai Akuma variant.

This article has been compiled using information provided by industry insiders who wanted to remain anonymous, but also reports by Qihoo 360 Netlab, Fortinet, and Check Point. If you're looking for IOCs and an analysis of the Satori malware's inner-workings, we recommend reading the reports.