A newly discovered variant of the Satori botnet is targeting computers dedicated to mining cryptocurrency to steal Ethereum coins by exploiting a flaw in the Claymore Miner software, researchers have reported.
The ethereum-stealing version of Satori, dubbed Satori.Coin.Robber, appeared on 8 January 2018 and is designed to replace the wallet address for collecting the newly minted cryptocurrency with an address controlled by the botnet operator, according to researchers from China-based Qihoo Netlab 360.
To make the switch, the Satori malware accesses the cryptocurrency mining computer via port 3333 that runs Claymore Miner software, and once the wallet switch is made, all coins generated by the infected computer are channelled into the attacker’s wallet.
The pay record connected to the botnet showed the Satori variant was still actively mining at the time of writing.
According to the researchers, the botnet owns an average calculation power of 1606 MH/s and is capable of accumulating 0.1733 ethereum coins (£123) in 24 hours.
Satori.Coin.Robber works “primarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password authentication enabled (which is the default config),” the researchers said. “To prevent potential abuse, we will not discuss details.”
Analysis of the botnet code revealed similarities with the original Satori, including similar code structures, encrypted configurations, similar configuration strings, and the same payload.
However, the new variant also comes with a payload targeting the Claymore Miner that features an asynchronous network connection method and enables a new set of command and control communication protocols.
Researchers noted that the author behind Satori.Coin.Robber has claimed the code is not malicious, and has even left an email address behind.
“Satori dev here, don’t be alarmed about this bot. It does not have any malicious packeting purposes, move along,” the message reads, followed by an email address.
News of the Satori cryptocurrency-stealing variant comes less than a month after the code for a Huawei router exploit, which was used by the Satori botnet, was posted online.
Read more about cryptocurrency cyber attacks
In December 2017, security researchers warned that Satori had been used to hijack around 100,000 home routers in just 12 hours, warning that the botnet could unleash internet-crippling attacks at any time. The warning sparked a fresh call for manufacturers of internet of things (IoT) devices to do more to ensure they cannot be hijacked for malicious purposes.
However, in reporting Satori.Coin.Robber, the Qihoo Netlab 360 researchers said Satori was under control due to the quick actions of the security community to sinkhole its command and control communications.
“The spread of this new botnet has been temporarily halted, but the threat still remains,” they warned.
The migration of Satori from IoT devices to cryptocurrency miners is in line with other cyber crime operations switching their attention to cryptocurrencies as they gain in popularity and value.
Even North Korea’s Lazarus Group has reportedly begun targeting South Korean cryptocurrency exchanges and users, but researchers have warned the group may soon go after exchanges and users in other countries as South Korea tightens defences and wars to crack down on cryptocurrencies.