New variant of Satori malware subverts other cryptocurrency mining malware by changing wallet address

Cryptocurrency miners infected with Satori malware will see gains given to someone else

Security researchers have identified a new variant of the Satori botnet that targets cryptocurrency miners and replaces the user's wallet address.

Satori is a malware family that turns security cameras, routers and other connected devices into botnets, which cyber criminals are now exploiting to fill their cryptocurrency wallets.

Researchers at Chinese cyber security firm Netlab 360 came across the new variant on 8 January, after finding it targeting the iClaymore Miner. They've detailed the variant in a new report.

This new variant actually hacks into various mining hosts on the internet... and replaces the wallet address on the hosts with its own wallet address

"Starting from 2018-01-08 10:42:06 GMT+8, we noticed that one Satori successor variant (we name it Satori.Coin.Robber) started to re-establish the entire botnet on ports 37215 and 52869," explained the researchers.

"What really stands out is something we had never seen before. This new variant actually hacks into various mining hosts on the internet (mostly Windows devices) via the management port 3333 that runs Claymore Miner software, and replaces the wallet address on the hosts with its own wallet address."

The malware targets coin-mining platforms and changes existing wallet addresses to one that the attacker controls. They can then receive coins directly, while computer owners are unaware of what's happening.

In the report, the researchers explain that the attackers are exploiting a newly discovered security vulnerability in the Claymore Miner software, exploiting flaws in a feature enabling users to mine coins remotely.

They continued: "The Claymore Miner Windows version provides a remote monitoring and/or management interface on port 3333 (the EthMan.exe file in the "remote management" directory).

"And by default earlier versions allow not only remote reading for mining status, but also operations like restart, upload files and some other control operations.

They added: "As a fix, after version 8.1, the Claymore Miner will not use port 3333 but -3333 (a negative one) as the startup parameter by default, which means read-only monitoring actions are supported, but other controlling actions are all denied."

But there are other issues. Cyber criminals could also use a feature in the software to "remote read" and to write "arbitrary files". However, the researchers added that the "corresponding exploit code has also been disclosed".