14 DAY TRIAL // Online piracy is here and it's clearly not going anywhere anytime soon. Some actors, however, are taking advantage of this and pushing a backdoor Trojan called Sathurbot into computers, infecting some 20,000 people thus far.
According to security company ESET, this iteration of Sathurbot has been active since June last year. For the most part, it has been using illegal torrents as a way to deliver the trojan, more specifically pirated film downloads. At the same time, it is brute-forcing its way into WordPress sites with weak admin passwords to expands its distribution network.
"It just might happen that your favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing. They may, however, run WordPress and have simply been compromised," the ESET researchers explain.
According to ESET's analysis, all the pages advertising free movie downloads lead to the same torrent file. Another number of pages promoting fake software downloads lead to another file.
"When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL," the analysis reads.
What happens next?
As soon as you run the file, a warning appears on the screen, telling you there's a problem with the installation process. Of course, that's not really the case, and the trojan is actually having a big party in the background.
On startup, the Sathurbot trojan retrieves its C&C with a query to DNS. The response comes and is decrypted and used as the C&C domain name for status reporting, task retrieval and to get links to other malware downloads.
Sathurbot can update itself, as well as download and start other executables. It then reports its successful installation along with a listening port to the C&C.
According to ESET, Sathurbot is primarily harvesting domain names that have WordPress sites. It is also interested, however, in Drupal, Joomla, PHP-NUKE, phpFox and DedeCMS. Once it finds the right sites, it starts probing for domain access credentials.
"Different bots in Sathurbot's botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn't get its IP address blacklisted from any targeted site and can revisit in the future," researchers note.
The end goal is to compromise as many sites as possible in order to create a large botnet that's ready to deliver malicious payloads for clients all over the world.