Sathurbot Malware Spreads via Torrent Files, Attacks WordPress Sites

[CrAKeN]

Security researchers from ESET have discovered a new malware called Sathurbot that relies on malicious torrent files to spread to new victims and carries out coordinated brute-force attacks on WordPress sites.

 

The purpose of this malware is to help crooks take over WordPress sites, which they can later use to host anything from SEO spam to malware download centers.

 

Searching for movie torrents leads to malware

The infection chain starts when users search for a movie torrent on search engines such as Google, Bing, or Yandex.

Using previously compromised WordPress sites, attackers create hidden pages on these websites where they host a torrent download page. Taking advantage of the original site's good search engine ranking, some of these results appear prominently in search listings.

 

Users that download the torrent will find it very well seeded, mostly be previously infected users. The torrent will download a movie file, a codec pack installer, and a text file explaining to the user he has to run the codec installer first, in order to view the movie.

 

This installer contains the Sathurbot malware. When executed, it will show an error message claiming an error during the download, but in reality, the Sathurbot infection has already taken root by that point.

 

Sathurbot victims search Google for more victims

After installation, Sathurbot performs a DNS query that will return the address of its first C&C (command and control) server. This first C&C server can tell it to perform one of two actions. It can instruct it to download additional malware (Boaxxe, Kovter, or Fleercivet), or perform a series of search queries.

 

While the first action is mundane for most malware botnet operations, the second part is more interesting because it leads to brute-force attacks on WordPress sites.

 

This starts with the C&C server sending the infected PC a list of over 5,000 words. The infected computer chooses 2-4 words, queries Google, Bing, or Yandex, and retrieves the first few pages of results. It then selects another set of 2-4 words commonly found in the first batch of search results and queries the search engines again.

 

Finally, the bot selects the first three search results, extracts the domain names, and tries to identify if any of them is running on WordPress by searching for the http://domain/wp-login.php URL. If the bot finds a WordPress site, it reports the domain to a second C&C server.

 

Infected users employed in password-cracking attacks

This secondary server is where the brute-force attacks are coordinated. The server starts by assigning each bot a username and password to check on each domain. No bot attempts to log into a site more than once, as to avoid getting blacklisted.

 

According to ESET, the size of this botnet is roughly of 20,000 bots, meaning the C&C server has 20,000 tries to guess any site's password.

 

If they successfully break into a site, the attackers use it to host other torrent files, SEO spam, malware downloads, or C&C servers for other operations. At this point, the entire operation enters a vicious circle.

 

 

Sathurbot modus operandi (ESET)

 

Source