Full Report
The Satori botnet has used embedded exploits to attack ports 37215 and 52869. After reaching the size of 280,000 active bots, the botnet has suddenly folded its operations.
Analysis Summary
# Tool/Technique: Satori (Mirai Variant)
## Overview
Satori (also known as Mirai Okiru) is a high-performance IoT botnet designed to compromise connected devices—specifically routers and IP cameras—to conduct large-scale Distributed Denial of Service (DDoS) attacks. Unlike its predecessor Mirai, which relied heavily on telnet brute-forcing, Satori is noted for using embedded remote code execution (RCE) exploits to propagate rapidly across the internet.
## Technical Details
- **Type:** Malware Family (Mirai Variant)
- **Platform:** Linux-based IoT devices (ARC, MIPS, ARM architectures)
- **Capabilities:** Worm-like self-propagation, RCE via embedded exploits, DDoS execution.
- **First Seen:** Approximately November 2017
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0002 - Execution**
- T1203 - Exploitation for Client Execution
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- **TA0040 - Impact**
- T1498.001 - Network Denial of Service: Direct Network Flood
## Functionality
### Core Capabilities
- **Automated Exploitation:** Scans for specific vulnerable ports to deliver malicious payloads without requiring manual credential guessing.
- **Worm-like Propagation:** Once a device is infected, it immediately begins scanning the internet for new victims to infect.
- **DDoS Engine:** Capable of launching various floods (UDP, TCP) against specified targets.
### Advanced Features
- **Zero-Day/N-Day Integration:** Satori became famous for integrating an exploit for a zero-day vulnerability in Huawei HG532 routers.
- **Rapid Scaling:** Due to its use of exploits rather than brute force, it reached a massive scale (approx. 280,000 active bots) in a very short timeframe.
## Indicators of Compromise
- **File Hashes (Generic Satori/Mirai):**
- SHA256: `7620a23226a2185257ef5e2d6741b8a5fc1a629fb59f8ed61a15383f9828551a`
- **File Names:** `satori.mips`, `satori.arm`, `satori.x86`
- **Network Indicators:**
- **C2 Domains:** `bin.satori[.]pw`, `cnc.satori[.]pw` (Defanged)
- **Target Ports:** 37215 (Huawei HG532 TR-064), 52869 (Realtek SDK UPnP).
- **Behavioral Indicators:** High-frequency outbound connection attempts on TCP ports 37215 and 52869.
## Associated Threat Actors
- **Nexus Zeta** (The pseudonym of the individual allegedly responsible for creating and operating the Satori variant).
## Detection Methods
- **Signature-based detection:** Monitoring for the specific binary strings associated with the "Satori" or "Okiru" variants in system memory or storage.
- **Behavioral detection:** Identifying internal IoT devices attempting to communicate with external IP addresses on ports 37215 or 52869.
- **Network Traffic Analysis:** Detecting excessive SOAP/XML payloads directed at router management interfaces.
## Mitigation Strategies
- **Patch Management:** Ensure all IoT devices (routers/cameras) are updated to the latest firmware to close known RCE vulnerabilities in TR-064 and UPnP protocols.
- **Network Segmentation:** Isolate IoT devices from critical business networks to prevent lateral movement.
- **Port Disabling:** Disable UPnP and WAN-side management interfaces (e.g., TR-064) unless strictly necessary.
- **Access Control:** Implement strong firewall rules to block unsolicited incoming traffic on ports 37215 and 52869.
## Related Tools/Techniques
- **Mirai:** The original source code upon which Satori is based.
- **BrickerBot:** A "vigilante" botnet that bricked insecure IoT devices to prevent them from being recruited into botnets like Satori.
- **Hajime:** Another large-scale IoT worm that competes with Satori for device control.