Satori, the malware that infects PCs dedicated to cryptocurrency mining
It compromises the Claymore Mining software and changes the address of the target wallet with one controlled by the attacker. The diffusion is not clear, but it could be the beginning of a new fashion in the world of cyber threats.
Satori is a family of malware, a variant of the better-known Mirai, which targets routers, ip-cam, smart-tv devices and in general any device connected to the network in order to turn them into toy soldiers of powerful botnets. Last week, security researchers from Chinese company Netlab 360 identified a modified version of Satori that infects computers dedicated to cryptocurrency mining.
The malware takes control of the Claymore Mining software (for mining of Ethereum), with modalities not detailed in the specific: all that is known is the ability to perform configuration actions through the 3333 port, which does not require authentication if the software is left with the default settings.
Once control of the software is taken, the malware replaces the address of the PC owner’s wallet to which the fruits of the mining are collected with an address controlled by the attacker (both personal and of a possible mining pool). In this way, the attacker can recover all the digital money generated by mining without the owner being aware of it if not manually checking the configuration of his software.
A control of the address of the attacker’s wallet, retrieved from Netlab 360, shows the last 10 transactions related to the address, in which you can see various movements in input and output with movements in the order of magnitude of a few Ether, whose value in recent days has exceeded $1400 before suffering the effects of a large transfer that has affected the entire market of cryptocurrencies.
It is unclear at the moment what the spread of this infection could be, since the only context information that can be recovered is the calculation capacity data indicated on the address of the mining pool, which in any case varies constantly.
We can hypothesise a diffusion from a few dozen to several hundred systems (depending obviously on the GPUs used by the infected systems), but beyond that it is still worth considering that this new malware can represent the beginning of a new ” fashion ” in the field of cyber threats to which even more massive campaigns could be inspired.