Threat Management, Security Strategy, Plan, Budget

Satori botnet searching internet for open Ethereum mining rigs

Security researchers have discovered a large Satori botnet that is scanning the internet for exposed Ethereum cryptocurrency mining rigs.

According to a blog post by researchers at Qihoo 360 Netlab, hackers are targeting port 3333. This is frequently used for remote management features by cryptocurrency-mining hardware. The researchers indicated that this scanning activity started 11 May in a Tweet earlier this month.

Also following up the botnet was GreyNoise Intelligence. According to a tweet, it had observed a large spike of TCP port 3333 scan traffic today. “This is the default port for the "Claymore" dual Ethereum/Decred cryptocurrency miner,” it said.

“Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the "dwarfpool" mining pool and use the attacker's ETH wallet,” Greynoise researchers added.

“Around 95 percent of the devices scanning for port 3333 today are located in the same residential ISP in Mexico as the majority of the hosts affected by the GPON vulnerability disclosed earlier this week.”

Netlab confirmed Greynoise's discovery. "The source of this scan is about 17k independent IP addresses, mainly from Uninet SA de CV,, located in Mexico," Netlab researchers said.

Johannes B. Ullrich, dean of research at SANS ISC, also managed to identify the botnet from observing his honeypots. 

“I have no idea why someone would have the unauthenticated JSON RPC of their miner exposed to the internet, but then again, these attacks are targeting people who are into cryptocoin mining, so everything is possible,” he said in a blog post.

In a follow-up exclusive interview with SC Media UK, Ullrich said the attack will for the most part affect hobbyists running this type of cryptocoin miner. 

“The best defence is to not enable the affected remote administration API. The software also allows users to run the API in a feature reduced mode that will not allow any “write” features to alter configurations or overwrite the “reboot” file. In addition, the API should be configured to run on a non-standard port,” he added.

Ullrich added that organisation would detect that the miner is no longer producing any revenue. “In addition, one may see additional software running on the mining equipment. Using network-based intrusion detection systems, it is possible to detect the use of the “miner_file” command which is an unusual command and unlikely to be used as part of normal operations,” he said.

To clean up any malware on affected devices, in this case, it should be simple to restore the reboot.bat file and verify the miner configuration. 

“So far, all the attacks we have seen will target the miner itself. However, the vulnerability could be used to execute any arbitrary command. Like with any intrusion, a complete forensics assessment should be conducted on the system and it is likely safer to just rebuild the system then to clean up individual artefacts left behind by the attacker,” said Ullrich.

Chris Doman, security researcher at AlienVault, told SC Media UK that his firm had also noticed the uptick in activity and added that the exploits and subsequent activity are normally easily detected if you perform network detection. “Unofficial patches are available for those with vulnerable devices, though replacing the affected devices is best if possible,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.