The operators of the Satori botnet are mass-scanning the Internet for exposed Ethereum mining rigs, according to three sources in the infosec community who've observed the malicious behavior —SANS ISC, Qihoo 360 Netlab, and GreyNoise Intelligence.

More precisely, crooks are scanning for devices with port 3333 exposed online, a port often used for remote management features by a large number of cryptocurrency-mining equipment.

Scans have been taking place for almost a week

The scans started on May 11, according to researchers from Netlab, the first to observe them, and the ones who tied their activity to the Satori botnet.

Do you see port 3333 scan traffic going up? Satori botnet is scanning it now, see our Scanmon trend https://t.co/TyrL4ryt6J, and try a dns lookup for one of the control domain it is using now, dig any https://t.co/DM4JTtXFo3, I personally like yesterday's TXT result more pic.twitter.com/xXUjwjZNdD — 360 Netlab (@360Netlab) May 11, 2018

More details emerged a day later when GreyNoise analysts managed to demystify the scans and analyze the behavior on a compromised device.

GreyNoise says crooks were actively looking for equipment running the Claymore mining software.

GreyNoise observed a large spike of TCP port 3333 scan traffic today. This is the default port for the "Claymore" dual Ethereum/Decred cryptocurrency miner. pic.twitter.com/5g6vVbPLNq — GreyNoise Intelligence (@GreyNoiseIO) May 11, 2018

"Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the 'dwarfpool' mining pool and use the attacker's ETH wallet," GreyNoise says.

GPON routers used to scan and compromise mining rigs

GreyNoise also tied the scans to a group of IP addresses located in Mexico, on the networks two ISPs that just a few days earlier had thousands of GPON routers compromised and attacked by five different botnets.

Based on the current evidence, Satori, one of the five botnets, was using the GPON routers to scan for Claymore miners, deploy an exploit, and hijack the devices to mine Ethereum and Decred cryptocurrencies for the Satori operators.

Yesterday, Netlab researchers published a blog post confirming GreyNoise's initial discovery.

"The source of this [port 3333] scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico," Netlab said

More details emerged later in the evening, as Johannes B. Ullrich of SANS ISC also managed to identify the exploit used by the attackers, a remote code execution flaw (CVE-2018-1000049) affecting the Nanopool Claymore Dual Miner software, for which public proof-of-concept code exists online.

This is not the first time we've seen intense scans for Ethereum mining rigs. A similar wave of scans took place last November.