20,000-bots-strong Sathurbot botnet grows by compromising WordPress sites

A 20,000-bots-strong botnet is probing WordPress sites, trying to compromise them and spread a backdoor downloader Trojan called Sathurbot as far and as wide as possible.

Sathurbot: A versatile threat

“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list,” the researchers noted.

Sathurbot is also a web crawler, and searches for domain names that can be probed to see whether they have been created through WordPress (i.e if /wp-login.php is present).

A list is compiled, and the botnet is used to try different login credentials on each site, in the hope that the password will be the right one and access will be granted.

“Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future,” the researchers explained.

As all this is going on, the Trojan also functions as a seeder for the malicious torrents. But not all instances do this. In fact, not all bots are web crawlers, but apparently all are involved in trying out login credentials on targeted sites.

How Sathurbot spreads

Sathurbot has been around since at least June last year, and spreads mostly by enticing users to download supposed pirated content (movies or software) via torrent files offered on compromised (mostly WordPress) pages.

“The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file,” ESET researchers shared.

“When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.”

Downloading and starting the executable will trigger pop-up windows saying that there is an error with the file, but that’s just a red herring: in the background, the malware is installed, contacts a C&C server, and awaits for instructions.

The attackers’ end goal

The attackers are probably trying to compromise as many computers as possible so that they can install specific malware onto them when paid to do so.

ESET has some good advice on how to protect your WP installations from it, and to clean them if they have been compromised.

Users are advised to avoid both running executables downloaded from sources other than those of respected developers, and downloading files from sites not designed primarily as file-sharing sites.