New Satori Variant Found Targeting Claymore Mining Software to Mine Ethereum

On January 8, security researchers said that a new Satori botnet variant was found hacking into Claymore mining rigs, replacing the device owner’s mining credentials with the attacker’s own. Analysis of the malware’s code suggested that the same person is behind this variant and the original Satori bot.

According to the report, the new Satori variant  (detected as ELF_MIRAI.AUSV and ELF64_MIRAI.D) keeps the original's exploits but adds a new one that does not target IoT and networking devices, unlike previous Satori payloads. The new variant scanned for port 3333 and deployed exploit code specific to Claymore cryptocurrency mining software. Moreover, the researchers said that Satori targets a vulnerability that affects the management interface of Claymore mining software, allowing attackers to interact with the device without needing to authenticate. The attacker then uses the access to change the Claymore mining configuration to one of his own to mine Ehtereum.

The perpetrator of the new Satori variant has reportedly made 1.0100710 ETH, or $980 in the past ten days from hijacked Claymore miners. Owners should review their mining configurations and make sure they’re running the most current version of the Claymore software.

Satori (also known as Mirai Okiru and detected by Trend Micro as ELF_MIRAI.AUSR) was pegged to be the successor of the Mirai botnet, which is notorious for knocking high-profile websites offline. The most recent Satori botnet attack happened in December 2017, affecting 280,000 IP addresses in just 12 hours.

With the surge in popularity of IoT devices used in home and office networks, Satori is a threat that can cause a significant impact when it compromises those devices, exposing users and organizations to Distributed denial-of-service (DDoS) attacks, Domain Name System (DNS)-changing malware, and cryptocurrency-mining malware.

Defending against Satori

A vulnerable home network exposes devices and owners' privacy to risk. Users can prevent a botnet infection with these security best practices:

  • Opt for devices that go beyond functionality and ease of use that is big on security and privacy.
  • Change the device’s default settings and credentials to make them less prone to unauthorized access.
  • Update software and firmware to prevent vulnerability exploits.
  • Enable the router’s built-in firewall to add an extra layer of security.

Trend Micro Solutions

Trend Micro™ Security and Trend Micro Internet Security protect users from this threat, with security features that can detect malware at the endpoint level. Security solutions like Trend Micro™ Home Network Security can check internet traffic between the router and all connected devices to protect IoT devices. Enterprises can use Trend Micro™ Deep Discovery™ Inspector, which is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks.

Trend Micro Smart Home Network™ customers are protected from this threat via these rules:

  • 1134286 WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)
  • 1134287 WEB Huawei Home Gateway SOAP Command Execution (CVE-2017-17215)

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.