Ethereum
A botnet is targeting rigs mining for Ethereum. David McBee/Pexels

The massive Satori botnet has reappeared with a new target. According to security researchers , the collection of compromised Internet of Things devices has been directed to attack rigs built for mining the cryptocurrency Ethereum.

According to Qihoo 360 Netlab, a variant of the Satori botnet dubbed Satori.Coin.Robber has been spotted in the wild scanning for machines used to mine for Ethereum in an attempt to hijack the cryptocurrency.

The researchers have not provided much in terms of detail as to how the botnet works—a precaution taken to prevent further abuse—but offered enough information to show the botnet is active and has successfully hit Ethereum mining rigs.

The specialized variant of the botnet—which at a time consisted of hundreds of thousands of internet-connected devices that were hijacked by using manufacturer-set default credentials that were never changed—hosts similar exploits as the original version but scans specifically for mining machines.

Those rigs can be identified relatively easy by the botnet. It searches for machines running Windows operating systems that have opened management port 3333, a Transmission Control Protocol (TCP) port that allows the machine to establish a connection with another host and exchange streams of data—in this case, Ethereum.

The botnet looks for machines running Claymore Miner software, a popular tool used for mining for Ethereum—a process done by lending computing power from the machine’s processor to solve complex mathematical equations required to confirm the validity of transactions.

Once the botnet finds a system running Claymore Miner with an open 3333 port with no password authentication enabled—which is inexplicably the default setting—it launches its attack to hijack the mining efforts.

First, Satori.Coin.Robber delivers a malicious payload that gathers information about the mining state of the rig. Then botnet replaces the wallet address on the host machine with its own wallet address. Finally, it reboots the system with the new address, which results in the Ethereum mined by the rigs being delivered to the attackers and leaves the miners with little to show for their efforts.

The researchers determined the botnet is active and has secured 0.9566 Ethereum (about $840) in the last two days. In total, it has paid out just over 1.01 Ethereum, or about $884.

Despite that, a person claiming ownership over the Satori.Coin.Robber attack told Netlab that the botnet is not currently active. "Satori dev here, don't be alarmed about this bot it does not currently have any malicious packeting purposes move along," he told the security researchers.

Given the exponential growth that Ethereum has experienced over the past year, including a nearly 100 percent increase in value during the first weeks of 2018, it’s understandable why the cryptocurrency has become such a target for attackers. It is increasingly profitable, and an attack like Satori.Coin.Robber allows it to be mined with minimal effort.

Users mining for Ethereum with Claymore Miner software should always make sure they are using the latest version of the software and configure their rigs to require a password to prevent exploits such as this botnet attack.