Once compromised a WordPress website, the Sathurbot botnet uses it to spread the malware.
The Sathurbot leverages torrents as a delivery mechanism, once a website is compromised it is used to host fake movie and software torrents. When victims search for a movie or a software to download they will receive malicious links instead of torrents.
Users will be served with the movie and the software torrent both containing an executable that once launched is tasked of loading the Sathurbot DLL.
“The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file.” reads the analysis published by ESET.”The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL”
Once executed the Sathurbot Trojan notify the victims that their machine has become a bot in the Sathurbot botnet.
“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list.” states ESET.
Once infected the target site, the malware reports its successful installation to the C&C server and communicate also a listening port to the server. Periodically it contacts the C&C and while waiting for additional instructions.
Sathurbot botnet also implement black SEO technique to make malicious links available through the major search engines.
“Sathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines.” continues ESET.
“From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.”
According to the experts, operators of the botnet are also interested in targeting websites running other CMSs such as Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS frameworks.
The bot sends the harvested domains to the C&C formatted as login:[email protected] The credentials are used to gain access to the website, operators implemented a distributed WordPress password attack using different bots to try different login credentials for the same site. The tactic allows attackers to avoid being blocked, each bot only tries a single login per site and moves to the next domain.
“During our testing, lists of 10,000 items to probe were returned by the C&C,” ESET adds.
The bot integrates the libtorrent library to implement a Torrent seeder. A binary file is downloaded and a torrent is created.
The experts noticed that not all bots in the network perform all of the above functions, some of them only work as web crawlers, others are used to brute force the websites and not all bots work as a seeder.
“The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs.” concludes ESET.
Experts speculate the Sathurbot botnet has been active since at least June 2016.
“Through examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been active since at least June 2016.”
(Security Affairs – Sathurbot botnet, WordPress)