{
	"id": "994ebe76-7f14-43cc-9ecb-0cf4e8f0a874",
	"created_at": "2026-04-06T00:18:28.112329Z",
	"updated_at": "2026-04-10T03:20:26.969415Z",
	"deleted_at": null,
	"sha1_hash": "4647da73c347b3d813a66a74aa38d5bb75b8527d",
	"title": "Art of Steal: Satori Variant is Robbing ETH BitCoin by Replacing Wallet Address",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 457350,
	"plain_text": "Art of Steal: Satori Variant is Robbing ETH BitCoin by Replacing\r\nWallet Address\r\nBy RootKiter\r\nPublished: 2018-01-17 · Archived: 2026-04-05 22:43:43 UTC\r\nThe security community was moving very fast to take actions and sinkhole the Satori botnet C2 after our\r\nDecember 5 blog. The spread of this new botnet has been temporarily halted, but the threat still remains.\r\nStarting from 2018-01-08 10:42:06 GMT+8, we noticed that one Satori’s successor variant (we name it\r\nSatori.Coin.Robber) started to reestablish the entire botnet on ports 37215 and 52869.\r\nWhat really stands out is something we had never seen before, this new variant actually hacks into various mining\r\nhosts on the internet (mostly windows devices) via their management port 3333 that runs Claymore Miner\r\nsoftware, and replaces the wallet address on the hosts with its own wallet address.\r\nFrom the most recently pay record till 2018-01-16 17:00 GMT+8, we can see:\r\nSatori.Coin.Robber is actively mining, with lastest update 5 minutes ago.\r\nSatori.Coin.Robber owns an average calculation power of 1606 MH/s for the last 2 days; the account has\r\naccumulated 0.1733 ETH coins over the past 24 hours\r\nSatori.Coin.Robber has already got the first ETH coin paid at 14:00 on January 11, 2017, with another 0.76\r\ncoin in the balance\r\nAlso worth mentioning is that the author of Satori.Coin.Robber claims his current code is not malicious and leaves\r\nan email address(see the section below for more details):\r\nSatori dev here, dont be alarmed about this bot it does not currently have any malicious packeting purposes mov\r\nA Series of Security Issues on Claymore Miner Remote Management\r\nhttp://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/\r\nPage 1 of 6\n\nClaymore Miner is a popular coin-mining software used by quite a lot of mining devices these days.\r\nAccording to its document, the Claymore Miner Windows version provides a remote monitoring and/or\r\nmanagement interface on port 3333 (the EthMan.exe file in the “remote management” directory). And by default\r\nearlier versions allow not only remote reading for mining status, but also operations like restart, upload files and\r\nsome other control operations.\r\nApparently, the above feature is a security issue. As a fix, after version 8.1, the Claymore Miner will not use port\r\n3333 but -3333 (a negative one) as the startup parameter by default, which means read-only monitoring actions are\r\nsupported, but other controlling actions are all denied.\r\nBut this is not the end. In November 2017, CVE-2017-16929 went public, which allows remote read and/or write\r\nto arbitrary files for Claymore Miner. The corresponding exploit code has also been disclosed.\r\nThe scanning payload (the exploit code) we are going to discuss here is different from all above though. It works\r\nprimarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password\r\nauthentication enabled (which is the default config). In order to prevent potential abuse, we will not discuss too\r\nmuch details in this article.\r\nSatori.Coin.Robber Variant is Exploiting above Issue to Robber ETH Coins\r\nFrom 2018-01-08 to 2018-01-12, have captured the following malware samples:\r\n737af63598ea5f13e74fd2769e0e0405 http://77.73.67.156/mips.satori\r\n141c574ca7dba34513785652077ab4e5 http://77.73.67.156/mips.satori\r\n4e1ea23bfe4198dad0f544693e599f03 http://77.73.67.156/mips.satori\r\n126f9da9582a431745fa222c0ce65e8c http://77.73.67.156/mips.satori\r\n74d78e8d671f6edb60fe61d5bd6b7529 http://77.73.67.156/mips.satori\r\n59a53a199febe331a7ca78ece6d8f3a4 http://77.73.67.156/b\r\nThese samples are subsequent variants of Satori, which scan not only the previous 37215 and 52869 ports, but\r\nalso the 3333 ports. The payload on on three ports are:\r\nPort 37215: Known, exploiting vulnerabilities CVE-2017-17215, Huawei recently released the relevant\r\nstatement\r\nPort 52869: Known, exploiting vulnerabilities CVE-2014-8361, related to some Realtek SDK, the exploit\r\ncode PoC is published since 2016\r\nPort 3333: Newly emerged, exploiting ETH mining remote management interface mentioned above.\r\nhttp://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/\r\nPage 2 of 6\n\nThe scanning payload on port 3333 is shown in the above image. Satori.Coin.Robber issues three packets\r\nrespectively:\r\nPackage 1: miner_getstat1, get mining state\r\nPackage 2: miner_file, update reboot.bat file, replace the mine pool and wallet address;\r\nPackage 3: miner_reboot, reboot the host with new wallet\r\nDuring this process, the mining pool and the wallet will be replaced:\r\nNew pool: eth-us2.dwarfpool.com:8008\r\nNew wallet: 0xB15A5332eB7cD2DD7a4Ec7f96749E769A371572d\r\nSimilarities and Differences between Satori.Coin.Robber and the Original Satori\r\nComparison between Satori.Coin.Robber and Satori:\r\n737af63598ea5f13e74fd2769e0e0405 Satori.Coin.Robber\r\n5915e165b2fdf1e4666a567b8a2d358b satori.x86_64, the original Satori in October 2017 with VT report\r\nhere\r\nSimilarities:\r\nCode: Both use UXP packing, with the same magic number 0x4A444E53. The unpacked code share\r\nsimilar code structures\r\nConfigurations: The configurations are both encrypted. The encryption algorithm and a large number of\r\nconfiguration strings are the same. For example, /bin/busybox SATORI, bigbotPein, 81c4603681c46036,\r\nj57*\u0026jE, etc.\r\nScanning payload: Both scan ports 37215 and 52869 and share the same payload\r\nDifferences:\r\nScanning payload: Satori.Coin.Robber added a new payload against Claymore Miner on port 3333\r\nScanning process: Satori.Coin.Robber adopts an asynchronous network connection (NIO) method to\r\ninitiate a connection, which improves scan efficiency\r\nC2 Protocol: Satori.Coin.Robber enables a new set of C2 communication protocols that communicate with\r\n54.171.131.39 using the DNS protocol. We will go through the details later.\r\nBelow are some detailed screenshots:\r\nhttp://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/\r\nPage 3 of 6\n\nBoth samples share the same UPX packing magic numbers:\r\nSatori.Coin.Robber uses asynchronous network connection for scanning:\r\nSatori.Coin.Robber's New C2 Communications Protocol\r\nC2 of Satori.Coin.Robber:\r\nA hard coded IP address 54.171.131.39, located in Dublin, Ireland.\r\nThe communication protocol is based on DNS protocol, which can be tested by query like\r\n\"dig@54.171.131.39 $DNS-QNAME any+short\", and different $DNS-QNAME corresponds to different\r\nhttp://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/\r\nPage 4 of 6\n\nfunction.\r\nAll C2 protocol lists as follows, note the fourth one is not written anywhere in the Satori.Coin.Robber code, we\r\njust tied and found it has dns response:\r\nThe first two responses are the same mining pool and wallet addresses used by the bot after tampering with other\r\nClaymore Miner mining equipment. However, at this stage, it seems that these server returned values is yet to be\r\nused.\r\nInfection Trend\r\nWe evaluate Satori.Coin.Robber's infection scale and trend by comparing the scanning volumes on three ports:\r\n37215, 52869 and 3333.\r\nhttp://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/\r\nPage 5 of 6\n\nThe three figures above show that the scanning volumes of these three ports all increase sharply during this\r\nperiod, which is consistent with the behavior of Satori.Coin.Robber samples.\r\nall emerged around 2018-01-08\r\nscanning spikes were all around 2018-01-08 to 2018-01-09\r\nthe volumes of scanning decrease in recent few days\r\nAS4766 Korea Telecom contributes most of the scanning source\r\ntotally about 4.9K uniq scanning source IPs\r\nSource: http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/\r\nhttp://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/"
	],
	"report_names": [
		"art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434708,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4647da73c347b3d813a66a74aa38d5bb75b8527d.pdf",
		"text": "https://archive.orkl.eu/4647da73c347b3d813a66a74aa38d5bb75b8527d.txt",
		"img": "https://archive.orkl.eu/4647da73c347b3d813a66a74aa38d5bb75b8527d.jpg"
	}
}