Virtual Currency Mining A terrifying malware "Satori Coin Robber" that rewrites the wallet address of the PC and robs the mining coin up

Malware which infects machines mining the virtual currency, rewrites the wallet address of the mining software, and steals mining earnings completely "Satori Coin Robber"Was discovered. Satori Coin Robber has already confirmed that it is building a botnet and continues to deprive the profits of PCs that are not aware of the infection.

Art of Steal: Satori Variant is Robbing ETH BitCoin by Replacing Wallet Address
http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/

New botnet infects cryptocurrency mining computers, replaces wallet address | Ars Technica
https://arstechnica.com/information-technology/2018/01/in-the-wild-malware-preys-on-computers-dedicated-to-mining-cryptocurrency/

Satori botnet successor targets Ethereum mining rigs | ZDNet
http://www.zdnet.com/article/satori-botnet-successor-targets-ethereum-mining-rigs/

It became a hot topic that "Satori" derived from "Mirai" malware infecting IoT terminal at the end of 2017 attacked IoT equipment. Based on this IoT terminal attack malware, a malware "Satori Coin Robber" was created to make the revenue of virtual currency mining rooted up.

Satori Coin Robber is a software for mining virtual currency Ethernet etc.Claymore MiningIt infects a PC that uses. Damages are mainly confirmed on Windows machines, and if the PC infects with Claymore Mining, the virtual currency Wallet address such as the ETH address of the PC will be rewritten to that of the attacker. Unless you realize that the wallet address has been rewritten, the mining PC owner will be bothered to mining for attackers.


According to Claymore Mining 's default setting, port 3333 seems to intrude by exploiting that the password is not locked. Satori Coin Robber infected with the mining PC first monitors the mining situation of the virtual currency, updates the reboot batch file, rewrites the wallet address, and restarts the machine as a new wallet address.

According to Netlab 360 which reported the damage situation, Satori Coin Robber was confirmed to be still active as of January 16, 2018. The hash rate of the last two days reached 1606 MH / s and clarifies that it gets scratched off 0.1733 ETH (about 20 thousand yen at the time of article creation) in 24 hours.