Satori botnet

A new variant of the Satori botnet has sprung back to life, and this one is hacking into Claymore mining rigs and replacing the device owner's mining credentials with the attacker's own.

The attacks started on January 8, a Qihoo 360 Netlab security researcher has told Bleeping Computer. Analysis of the malware's code suggests the same person behind the original Satori bot is behind this new wave as well.

Brief history of the Satori botnet

The Satori botnet appeared in early December 2017 and was a heavily modified version of the infamous Mirai IoT DDoS malware.

Satori did not use brute-force attacks to break into devices using default and weak credentials —like the original Mirai— but used exploit code to take over devices running with strong credentials, but using old firmware.

The botnet scanned for ports 52869 (CVE-2014-8361 vulnerability in Realtek SDK-based devices) and 37215 (CVE-2017-17215 zero-day in Huawei routers).

Using just these two exploits, Satori amassed between 500,000 and 700,00 bots. Seeing the immediate danger, Internet security groups reacted and took down Satori's original C&C servers around mid-December, two weeks after Satori appeared.

Netlab spots Satori.Coin.Robber variant

Now, almost three weeks after the botnet went silent, Netlab researchers have spotted a new Satori variant.

"The infection speed is much slower," Netlab researcher Li Fengpei told Bleeping Computer via email, "so don’t be panic."

This new version keeps the old exploits, but also adds another one. The third exploit was a total surprise for researchers because it did not target IoT and networking devices, like previous Satori payloads.

Satori scans on port 3333

Instead, Satori scanned for port 3333 and deployed exploit code specific to Claymore cryptocurrency mining software.

Netlab did not publish details about the exploit code to avoid further abuse, but said Satori targets a vulnerability affecting the management interface of Claymore mining software that allows attackers to interact with the device without needing to authenticate.

The attacker breaks in and changes Claymore mining configuration to one of his own that mines Ethereum.

New pool:
New wallet: 0xB15A5332eB7cD2DD7a4Ec7f96749E769A371572d

He also leaves a message behind, in case the device owner notices the break-in, claiming the modifications he made to the mining rig are not malicious (Spoiler: They are!).

Satori dev here, dont be alarmed about this bot it does not currently have any malicious packeting purposes move along. I can be contacted at

At the time of writing, the Satori dev appears to have made 1.01000710 ETH (~ $980) in the past ten days just by hijacking other people's Claymore miners. Owners are advised to review mining configurations and make sure they're running an updated version of the Claymore software.

Netlab published a report earlier today analyzing this new Satori variant, which they named Satori.Coin.Robber.

Other mining rig security incidents

In September 2017, Bitdefender noticed a wave of attacks that used default credentials to take over Ethereum mining rigs running ethOS.

In August 2017, security expert Victor Gevers found over 3,000 Bitcoin mining rigs with Telnet ports exposed on the Internet and no passwords. Most devices were located in China.

In April 2017, security researchers discovered a hidden backdoor in the firmware of Bitmain's Antminer mining rigs. The vulnerability was named Antbleed and Bitmain issued a firmware update to fix the problem.

Related Articles:

Necurs Botnet Distributing Sextortion Email Scams

Emotet Trojan Begins Stealing Victim's Email Using New Module

AutoHotkey Malware Is Now a Thing

Exposed Docker APIs Continue to Be Used for Cryptojacking

Bushido-Powered DDoS Service Whipped Up from Leaked Code