From 56d5ab9afaf238f5c4d83a1b75a5fbfeae022529 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 20 Dec 2017 11:25:06 +0100
Subject: [PATCH] add satori (Mirai Variant)

---
 clusters/tool.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/tool.json b/clusters/tool.json
index 5424d6ad..76cdddc1 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -3187,6 +3187,19 @@
           "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/"
         ]
       }
+    },
+    {
+      "value": "Satori",
+      "description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/",
+          "https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant"
+        ],
+        "synonyms": [
+          "Okiru"
+        ]
+      }
     }
   ]
 }