A recently observed backdoor Trojan is ensnaring victims’ computers into a botnet that attempts to brute-force its way into WordPress accounts. The compromised WordPress sites are then used to spread the malware further.
Dubbed Sathurbot, the backdoor Trojan uses torrents as a delivery medium. Compromised websites are used to host fake movie and software torrents and, when a user searches the web for a movie or software to download, links to these websites are served instead of legitimate torrents.
Users accessing movie subpages are served with the same torrent file, while those going for software are served a different torrent file. Because the torrents are well-seeded, they might appear legitimate. Both the movie and the software torrent contain an executable and are meant to entice the victim into running it, thus loading the Sathurbot DLL.
Once launched, the malware informs the victim that their machine has become a bot in the Sathurbot network. Sathurbot also retrieves its command and control (C&C) at startup. Communication with the server involves status reporting, task retrieval, and the receiving of links to other malware downloads.
“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list,” ESET security researchers warn.
The malware reports its successful installation and a listening port to the server, and also reports back periodically, while waiting for additional tasks.
Sathurbot comes with some 5,000 plus basic generic words that are randomly combined to form 2-4 word phrases used as query strings via popular search engines. It then selects a random 2-4 word long text chunk from the webpage of each URL in the search results, and uses it for the next round of search queries. The second set of search results in used to harvest domain names.
The threat selects only the domains that are created using WordPress, but it appears that the threat is also interested in the Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS frameworks. The malware sends the harvested domains to the C&C.
The bot then receives a list of domain access credentials (formatted as login:[email protected]) that it then probes for access, and ESET says that different bots try different login credentials for the same site. Further, to avoid being blocked, each bot only tries a single login per site and moves to the next domain.
“During our testing, lists of 10,000 items to probe were returned by the C&C,” ESET reveals. They also note that the XML-RPC API (particularly, the wp.getUsersBlogs API) of WordPress is used in the attack.
The bot also has the libtorrent library integrated, and is designed to become a seeder by downloading a binary file and creating the torrent. However, it appears that not all bots in the network perform all of these functions, as some are only used as web crawlers, others only attack the XML-RPC API, while others do both. Not all bots become seeders either.
“The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs,” the security researchers explain.
Consisting of over 20,000 infected computers, Sathurbot is believed to have been active since at least June 2016.