Claymore miner wail helplessly as Satori — the IoT malware that wrangles security cameras, routers, and other IoT devices took over their harvest by clandestinely infecting dedicated computers for cryptocurrency mining.
According to researchers from Netlab 360, a China-based company, the modified Mirai botnet malware (Satori) which attacked Claymore miner on the January 8 capitalized on a few weaknesses in their system network. The malware gained full control of the mining software and replaced the wallet address where mines (newly minted currencies) from the computer are accumulated, with the attacker’s wallet address. Since then, all newly generated coins are being dropped into the attacker’s address while owners of the mining computers are yet to understand the software configuration for any step to stop the losses.
In less than 8 days more than 1 Etherium coin has been lost to the attacker-controlled wallet, according to the records. And as at the time of the transactions, Etherium coin value was as high as $1,300. Records show that as at January 17, the attacker’s wallet was still mining actively with a current balance of slightly more than 1 Etherium coin. Information from the illegal mining shows a calculation power of almost 2,100 million hashes per second. This figure suggests an output of about 1,135 each running a GeForce GTX 560M or 85 computers running Radeon Rx 480 graphics card each.
At this rate of mining, proceeds from this attack would worth the effort if the attack-controlled wallet continues to receive newly generated coins for a few months. That is also if the cryptocurrency value does not continue to drop – it has already caused Etherium to lose 42 percent of its value in the past four days.
Is Satori not for IoT devices?
Mirai botnet is the open source malware that gave birth to Satori. Mirai was popularly known in 2016 for paralyzing large internet swaths when it took control of IoT devices by causing them to participate in a distributed denial-of-service attacks. In December 2017, when Satori showed up, the fundamental code was completely revamped to attack vulnerabilities in programming among device firmware. And by the first week of its outbreak, over hundred thousand devices were infected, which was more the following weeks
RootKiter, a researcher from Netlab 360, wrote on Wednesday’s post to confirm that the version of Satori which attacked on the January 8 exploits IoTs through two vulnerabilities. He added that the new Satori also take advantage of Claymore Mining software weaknesses.
But for now, there’s no clear understanding of how the modified malware infects mining computers. Though, one loophole in the Claymore Mining software has been reported. Rather Wednesday’s post believes otherwise by saying that Satori “works primarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password authentication enabled (which is the default configuration).”
Further details were withheld by Netlab 360 as a means of averting further abuse. Hence, Claymore Mining Software developers are also withholding comments but released a false message from infected computers which reads:
“Satori dev here, dont be alarmed about this bot it does not currently have any malicious packeting purposes move along. I can be contacted at firstname.lastname@example.org.”