A new variant of the Satori botnet has sprung back to life, and this one is hacking into Claymore mining rigs and replacing the device owner’s mining credentials with the attacker’s own.

The attacks started on January 8, a Qihoo 360 Netlab security researcher has told Bleeping Computer. Analysis of the malware’s code suggests the same person behind the original Satori bot is behind this new wave as well.

Brief history of the Satori botnet

The Satori botnet appeared in early December 2017 and was a heavily modified version of the infamous Mirai IoT DDoS malware.

Satori did not use brute-force attacks to break into devices using default and weak credentials —like the original Mirai— but used exploit code to take over devices running with strong credentials, but using old firmware.

The botnet scanned for ports 52869 (CVE-2014-8361 vulnerability in Realtek SDK-based devices) and 37215 (CVE-2017-17215 zero-day in Huawei routers).

Using just these two exploits, Satori amassed between 500,000 and 700,00 bots. Seeing the immediate danger, Internet security groups reacted and took down Satori‘s original C&C servers around mid-December, two weeks after Satori appeared.

Netlab spots Satori.Coin.Robber variant

Now, almost three weeks after the botnet went silent, Netlab researchers have spotted a new Satori variant.

“The infection speed is much slower,” Netlab researcher Li Fengpei told Bleeping Computer via email, “so don’t be panic.”

This new version keeps the old exploits, but also adds another one. The third exploit was a total surprise for researchers because it did not target IoT and networking…