14 December 2017

The brief awakening of the Satori botnet

Researchers from Qihoo 360 Netlab reported that one more version of the Mirai botnet had become active. The Satori botnet’s activity took the form of mass-scanning ports 37215 and 52869. In the first 12 hours of monitoring, the botnet was observed to grow by over 280,000 bots. However, later, 2 hours after the researchers had published the results of their observations, the botnet suddenly folded its operations.

The new malware has self-propagation functionality and uses two embedded exploits. One uses port 37215, presumably to exploit a zero-day vulnerability in Huawei routers. The second exploit, which attacks port 52869, is associated with an old vulnerability – CVE-2014-8361 – in Realtek devices. According to Netlab, port 37215 accounts for the majority of scanning requests.

Netlab experts believe that the upsurge in Satori activity may be connected with another Mirai variant, which infected vulnerable ZyXEL devices and was discovered last month. This is supported by the fact that the two variants use the same names for some files and the same C&C protocols.

Source: Qihoo 360 Netlab