Attacker has generated about $2,000 in digital coin so far in a scam that remains active
Satori—the malware family that wrangles routers, security cameras, and other Internet-connected devices into potent botnets—is crashing the cryptocurrency party with a new variant that surreptitiously infects computers dedicated to the mining of digital coins.
Satori, a botnet which exploits a Huawei vulnerability and bug in Realtek SDK-based devices to enslave PCs, was originally based on the notorious Mirai IoT botnet. Mirai took control of so-called Internet-of-Things devices and caused them to participate in distributed denial-of-service attacks that paralyzed large swaths of the Internet in 2016.
When Satori appeared in December, the underlying code was significantly overhauled. Instead of infecting devices that were secured with easily guessable default passwords, it exploited programming vulnerabilities in the device firmware.
In early December, Satori had infected more than 100,000 devices and reportedly grew much bigger in the following weeks.
After gaining control of the coin-mining software, the malware replaces the wallet address the computer owner uses to collect newly minted currency with an address controlled by the attacker.
From then on, the attacker receives all coins generated, and owners are none the wiser unless they take time to manually inspect their software configuration.
But since the attacks began, the botnet has managed to mine a single coin, which is worth about $1,300. That’s roughly equivalent to the output of 85 computers each running a Radeon Rx 480 graphics card or 1,135 computers running a GeForce GTX 560M
The botnet is among the latest hacking schemes capitalizing on the cryptocurrency craze. Others have focused on hijacking websites and Google Chrome browser extensions to secretly mine the digital currency Monero.
In regards to the Satori botnet, the hacker behind scheme is leaving a message on the mining rigs hit, according to Netlab. “Satori dev here, don’t be alarmed about this bot it does not currently have any malicious packeting purposes move along. I can be contacted at email@example.com,” the message reads.
The vulnerability in the Claymore software was actually part of a feature for remote monitoring of the Ethereum mining. The flaw appears to have been patched in version 10.2 of the software.