Satori Botnet

The Satori Botnet was first spotted exploiting a vulnerability in the infamous Claymore mining software, therefore allowing it to seize control over the mining hardware of its victims, and reprogram it to mine cryptocurrency for the wallet of the attacker – so far, the operator of the Satori Botnet has used the infected devices to mine for Ethereum only, but this may change in the future. Another campaign involving the Satori Botnet was spotted in June 2018 – malware researchers noticed an increased number of scans on ports 80 and 8000, which are used by XiongMai, a popular Web server software suite that is found in many Internet-of-Things devices originating from China. A recent vulnerability identified in this Web server software may have sparked the interest of the Satori Botnet’s operator, and they used a mass campaign to find vulnerable devices that can be added to the botnet’s network.

Although a look at the code of the Satori Botnet reveals that it is based on the Mirai Botnet’s source code, there are some fundamental differences between the methods these botnets use. While Miral relies on exploiting devices with unchanged (default) login credentials, the Satori Botnet executes its campaigns by looking for specific programming vulnerabilities (exploits.) Although the Satori Botnet is yet to be used in a Distributed-Denial-of-Service (DDoS) attack, there is no other reason for the botnet’s operator to be expanding the network so rapidly unless the plan is a major attack soon.

Protecting your devices from the Satori Botnet and similar campaigns can be an easy task if you apply security updates and firmware patches released by the product vendor regularly.