Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Sathurbot Botnet Targets WordPress Accounts

A recently observed backdoor Trojan is ensnaring victims’ computers into a botnet that attempts to brute-force its way into WordPress accounts. The compromised WordPress sites are then used to spread the malware further.

A recently observed backdoor Trojan is ensnaring victims’ computers into a botnet that attempts to brute-force its way into WordPress accounts. The compromised WordPress sites are then used to spread the malware further.

Dubbed Sathurbot, the backdoor Trojan uses torrents as a delivery medium. Compromised websites are used to host fake movie and software torrents and, when a user searches the web for a movie or software to download, links to these websites are served instead of legitimate torrents.

Users accessing movie subpages are served with the same torrent file, while those going for software are served a different torrent file. Because the torrents are well-seeded, they might appear legitimate. Both the movie and the software torrent contain an executable and are meant to entice the victim into running it, thus loading the Sathurbot DLL.

Once launched, the malware informs the victim that their machine has become a bot in the Sathurbot network. Sathurbot also retrieves its command and control (C&C) at startup. Communication with the server involves status reporting, task retrieval, and the receiving of links to other malware downloads.

“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list,” ESET security researchers warn.

The malware reports its successful installation and a listening port to the server, and also reports back periodically, while waiting for additional tasks.

Sathurbot comes with some 5,000 plus basic generic words that are randomly combined to form 2-4 word phrases used as query strings via popular search engines. It then selects a random 2-4 word long text chunk from the webpage of each URL in the search results, and uses it for the next round of search queries. The second set of search results in used to harvest domain names.

The threat selects only the domains that are created using WordPress, but it appears that the threat is also interested in the Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS frameworks. The malware sends the harvested domains to the C&C.

Advertisement. Scroll to continue reading.

The bot then receives a list of domain access credentials (formatted as login:password@domain) that it then probes for access, and ESET says that different bots try different login credentials for the same site. Further, to avoid being blocked, each bot only tries a single login per site and moves to the next domain.

“During our testing, lists of 10,000 items to probe were returned by the C&C,” ESET reveals. They also note that the XML-RPC API (particularly, the wp.getUsersBlogs API) of WordPress is used in the attack.

The bot also has the libtorrent library integrated, and is designed to become a seeder by downloading a binary file and creating the torrent. However, it appears that not all bots in the network perform all of these functions, as some are only used as web crawlers, others only attack the XML-RPC API, while others do both. Not all bots become seeders either.

“The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs,” the security researchers explain.

Consisting of over 20,000 infected computers, Sathurbot is believed to have been active since at least June 2016.

Related: Many WordPress Sites Hacked via Recently Patched Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.