In a blog post, security research firm Netlab 360 revealed that it discovered a new variant of the Satori botnet. Beyond trying to spread itself, the new variant, which Netlab has named Satori.Coin.Robber, also hunts for machines running a popular closed-source crypto-mining client called Claymore Miner. The botnet exploits a newly discovered vulnerability in the mining software to change the target mining pool and payout wallet. The result is that the exploited mining machine will have been quietly switched to mine for someone else.
Netlab did not expose the details of how the exploit works, presumably so the developers of Claymore Miner can patch it. Netlab explained only that the infected botnet machines deliver the exploit through port 3333, which is used by Claymore Miner for its remote monitoring service. According to Netlab, the mining pool is currently active and has already paid out around 2 ETH.
The Satori botnet had a brief life during the 2017 holiday season before it was shut down. That botnet spread itself on ports 37215 and 52869 by exploiting vulnerabilities in Huawei modems and Realtek router chips. The Satori.Coin.Robber spreads itself in the same way, but because the exploits were patched, it’s spreading slower than its predecessor because there are fewer vulnerable devices. To be clear, the Satori.Coin.Robber botnet doesn’t spread to the machines that run the Claymore Mining software; it attacks them from the devices that make up the botnet. The botnet spreads so that it can grow its base of attack.
If you’re using Claymore Mining software, consider changing to a different mining client at least until it’s patched. At the very least, be sure to check that your miner’s pool and wallet haven’t been secretly changed. We haven’t found anything indicating whether or not the exploit has been fixed, so be on the lookout for a new version.