The malware, dubbed Satori.Coin.Robber, started to reestablish the Satori botnet sinkholed last December, but also hacks into Windows-based mining hosts running the popular Claymore Miner software.
Older versions of the Claymore Miner provide a remote monitoring and management interface on port 3333, which by default allow remote reading for mining status, the capability to restart the host, upload files, and so on.
Satori.Coin.Robber variants emerged around 2018-01-08, and in the next two days did a flurry of scanning for port 3333, but also for ports 37215 and 52869 (for Huawei’s HG532e home gateway and the Realtek SDK, respectively).
The scanning payload on port 3333
The exploit flung at machines that allow management actions on 3333 ports with no password authentication required (the default configuration) allows the botmaster to replace the mining pool and the wallet address on the host.
The host is then rebooted, and begins sending mined ETH coins to a wallet controlled by the botmaster.
Who’s behind it?
The many similarities between Satori and Satori.Coin.Robber could indicate that the same author is behind both of them.
Also, Satori.Coin.Robber leaves the following message on the compromised rig: “Satori dev here, dont be alarmed about this bot it does not currently have any malicious packeting purposes move along. I can be contacted at email@example.com”
Whether this is just an attempt to misdirect researchers remains to be seen. But the message is obviously meant to reassure victims that everything’s all right – although, I can’t imagine that it works.
Since its emergence, the malware has earned its developer nearly 2 ETH, but so far he “collected” just one, amounting to a little over $810.