Satori Botnet

The Satori Botnet is an advanced cyber-threat that is aimed at devices running the XiongMai Web server and mining rigs. The XiongMai Web server is a component of many IoT devices on the Chinese market, and the Satori Botnet exploits a vulnerability tagged as CVE-2018-10088 (a.k.a. XiongMai uc-httpd 1.0.0 - Buffer Overflow). You may be interested to learn that the Satori Botnet is a variant of the Mirai Botnet that emerged in August 2016. Some of the latest versions of the Satori Botnet include support for exploits in Huawei routers and Realtek SDK devices. The versions from 2017 show that the Satori Botnet includes exploits for vulnerabilities dubbed as CVE-2017-17215 and CVE-2014-8361 via TCP on ports 37215 and 52869. Further improvements in the Satori Botnet were registered in January 2018 when computer security researchers noticed the inclusion of exploits for rigs running the Claymore cryptocurrency mining software.

The Satori Botnet is used for Distributed Denial of Service (DDoS) attacks primarily. However, a large portion of the Web traffic generated from the Satori Botnet is dedicated to hijacking the Claymore mining configurations. As mentioned above, the Satori Botnet is equipped to compromise rigs running the Claymore mining software. It was discovered that the Satori Botnet changes the configuration mining systems so that the generated profit goes into the wallets of the Satori team instead of the wallet of the system owners. The Satori Botnet is designed to use manually crafted UDP, and TCP packets for flooding targeted IP addresses. Also, the Satori Botnet uses a custom communication protocol for the client-server connection, which makes recognizing infected devices relatively easy. The developers of the Claymore kit have issued a security advisory to users regarding the Satori Botnet activity. You should install the latest security patches for your router, run a firewall locally and monitor your Claymore configs closely.