Ethereum logos

The operators of the Satori botnet are mass-scanning the Internet for exposed Ethereum mining rigs, according to three sources in the infosec community who've observed the malicious behavior —SANS ISC, Qihoo 360 Netlab, and GreyNoise Intelligence.

More precisely, crooks are scanning for devices with port 3333 exposed online, a port often used for remote management features by a large number of cryptocurrency-mining equipment.

Scans have been taking place for almost a week

The scans started on May 11, according to researchers from Netlab, the first to observe them, and the ones who tied their activity to the Satori botnet.

More details emerged a day later when GreyNoise analysts managed to demystify the scans and analyze the behavior on a compromised device.

GreyNoise says crooks were actively looking for equipment running the Claymore mining software.

"Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the 'dwarfpool' mining pool and use the attacker's ETH wallet," GreyNoise says.

GPON routers used to scan and compromise mining rigs

GreyNoise also tied the scans to a group of IP addresses located in Mexico, on the networks two ISPs that just a few days earlier had thousands of GPON routers compromised and attacked by five different botnets.

Based on the current evidence, Satori, one of the five botnets, was using the GPON routers to scan for Claymore miners, deploy an exploit, and hijack the devices to mine Ethereum and Decred cryptocurrencies for the Satori operators.

Yesterday, Netlab researchers published a blog post confirming GreyNoise's initial discovery.

"The source of this [port 3333] scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico," Netlab said

More details emerged later in the evening, as Johannes B. Ullrich of SANS ISC also managed to identify the exploit used by the attackers, a remote code execution flaw (CVE-2018-1000049) affecting the Nanopool Claymore Dual Miner software, for which public proof-of-concept code exists online.

This is not the first time we've seen intense scans for Ethereum mining rigs. A similar wave of scans took place last November.

Related Articles:

Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day

All-Radio 4.27 Portable Can't Be Removed? Then Your PC is Severely Infected

Flaws in Smart Irrigation Systems Expose Water Utilities to Botnet-Grade Attacks

Built-in Ethereum Payments Coming to Opera Browser for PC

KickICO Platform Loses $7.7 Million in Recent Hack