Compromised routers are being used to look for ports used by a popular piece of mining software in order to take them over.
A botnet, called Satori, is scanning online devices for exposed Ethereum mining rigs according to three sources in the infosec community who have been monitoring its work. Bleeping Computer reports that the searches began on May 11th, when the activity was first observed by researchers at Netlab, the people who eventually tied the activity to Satori.
The, presumably, malicious scanners are looking for connected devices with port 3333 exposed online, a port often used for remote control of mining rigs. Another groups of security researchers, GreyNoise, believe that the crooks are actively on the hunt for equipment that is running mining software called Claymore – which makes extensive use of port 3333.
The company also believes that the scans originate from compromised routers in Mexico, where a recent attack by no-less than five distinct botnets compromised a whole host of GPON routers. Once compromised devices are being used to identify mining rigs that are open to attack, before they are hijacked to mine Ethereum (ETH) and Decred (DCR) cryptocurrencies for the attackers.
“Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the ‘dwarfpool’ mining pool and use the attacker’s ETH wallet,” GreyNoise told the site.