Back to Blog

Satori.Coin.Robber (botnet) is now hacking Ethereum mining rigs by replacing wallet address

January 17, 2018

By: mirabiliscorp


By Eslam Medhat

A new variant of the Satori botnet has raised again with a new target, and this one is hacking into Claymore mining rigs (which mine the cryptocurrency Ethereum (ETH)) and replacing the machine owner’s mining wallet address with the attacker’s wallet.

Satori is a botnet which uses a Huawei vulnerability and security issue in Realtek SDK-based devices to take over devices that are using old firmware.

Qihoo 360 Netlab security researchers said that “Satori.Coin.Robber” was first detected on 8 January and hosts the same exploits of Mirai botnet. But, a new ability added to this variant is the scanning of mining rigs. The botnet scanned for ports 52869 (CVE-2014-8361 vulnerability in Realtek SDK-based devices) and 37215 (CVE-2017-17215 zero-day in Huawei routers).

According to researchers:
What really stands out is something we had never seen before, this new variant actually hacks into various mining hosts on the internet (mostly windows devices) via their management port 3333 that runs Claymore Miner software, and replaces the wallet address on the hosts with its own wallet address.

Based on the payout pool connected to the botnet, Satori botnet controls an average calculation power of 1106 MH/s. The botnet has already got the first ETH coin paid at 14:00 on January 11, 2017, with another 0.96 coin in the balance.


Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

Follow us


Contact Us
First Name*
Last Name*
Mobile Number*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
I agree to the Privacy Policy and Terms of Service.