ESET Uncovers Sathurbot, Distributed WordPress Password Attack

Sathurbot backdoor trojan uses torrents as a delivery medium to compromise weak WordPress administrator accounts.

Looking to download a movie or software without paying for it? There might be associated risks. It just might happen that your favourite search engine returns links to torrents on sites that normally have nothing to do with file sharing and when you begin torrenting in your favourite torrent client, you will find the file is well-seeded and thus appears legitimate.

If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. It is in the “codec pack installer” that the malicious payload is embedded and running it infects the victim’s computer.

The infected computer is then remotely controlled by the attackers and used as part of a botnet, to try to break into various other websites. Through examination of logs, system artefacts and files, ESET researchers found that the current botnet consists of over 20,000 infected computers and has been active since at least June 2016.

ESET Ireland recommends users to avoid running executables downloaded from sources other than those of respected developers, and downloading files from sites not designed primarily as file-sharing sites.

The full analysis of the Sathurbot attack is available on ESET Ireland’s official blog.