Satori botnet suddenly activated over 280,000 active bots




Cybersecurity experts reported that the new botnet dubbed Satori has been seen active on over 280,000 different IPs within just 12 hours.

Satori in Japanese means "awakening" and is a variant of Mirai IoT DDoS malware.

Li Fengpei of Qihoo 360 Netlab says the Satori variant came to life out of the blue and started scans on ports 37215 and 52869.

However, the Mirai Satori variant differs quite well from all previous pure Mirai variants.

Previous versions of Mirai infected IoT devices and then downloaded a Telnet scanner that was trying to find other victims and infect them with the Mirai bot.

The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.

This makes Satori an IoT worm that is able to spread itself without the need for separate components.

Mysterious Huawei exploit (zero-day?)

Li Fengpei says the telemetry collected by Netlab's infrastructure has observed 263,250 different IPs scanning port 37215, and 19,403 IPs scanning port 5286 in just 12 hours. That's over 280,000 bots in half a day.




The success of Satori is largely due to the exploit it delivers on port 37215. According to Li Fengpei's description, it is obviously zero-day.

"The one on port 37215 is not fully disclosed yet, our team has been tracking this in the last few days and got quite some insight, but we will not discuss it," Li Fengpei said.




The other exploit, on port 52869, this is for a known and old vulnerability in Realtek devices (CVE-2014-8361), which most likely has been fixed in some devices, so, scans for this exploit are less successful.

Li Fengpei also points out that there are clues linking the botnet created with the Mirai Satori variant with another Mirai-based botnet that appeared last month and reached about 100,000 bots, most located in Argentina.

It is not clear whether the same hacker manages both botnets, or not, but the current Mirai Satori variant and the previous Mirai-based have common filenames and static features, and some of the C2 protocols.

Would you like to comment on this article?




New banking malware FakeBank can intercept messages to steal data and money

FakeBank malware can steal sensitive information from the device including phone numbers, balance on a linked bank card and location data.


New Cryptomix ransomware variant released

Hackers have released a new version of Cryptomix that adds the .SERVER extension to encrypted files.


Meltdown and Specter vulnerabilities affect Intel, ARM, AMD processors

Almost all PCs, laptops, tablets and smartphones are in danger, regardless of manufacturer or operating system.

Sign up for our online newsletter!