Security firm ESET has reported new attacks associated with an iteration of Sathurbot, a backdoor Trojan that has infected more than 20,000 users. Researchers say that the backdoor has been active since June, 2016, and has been using illegal torrents of pirated movies to sneak into victims’ systems. That is not all, however, as Sathurbor is also compromising WordPress sites via brute-forcing pages with weak admin passwords. This way the Trojan is infecting more systems, making itself more widespread.
Sathurbot Trojan Distribution Network
As explained by the researchers, users aiming to download torrents (mostly pirated movies) are the main victims of the Trojan:
The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate.
The downloaded movie torrent will be a file with a video extension together with a visible codec pack installer and an explanatory text file. The torrent too has an apparent installer executable and a small text file. The end goal here is to lure the potential victim into running the exe which will load the Sathurbot DLL.
But that’s not all! “It just might happen that your favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing. They may, however, run WordPress and have simply been compromised,” the research team adds.
Sathurbot Technical Overview
On startup, Sathurbot retrieves its command and control server with a query to DNS. The response comes as a DNS TXT record, ESET’s report reveals.
Its hex string value is decrypted and used as the command and control domain name for status reporting, task retrieval and to get links to other malware downloads.
Additionally, the Sathurbot backdoor can update itself, and it can download and start other executables. ESET has seen variations of Boaxxe, Kovter and Fleercivet, but more malware instances can be used as well.
Sathurbot’s Web Crawler
The Trojan is equipped with over 5,000 basic generic words, randomly combined to form a 2-4 phrase combination which is used a query string via Google, Bing and Yandex.
From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.
The second bunch of search results is collected for domain names. Then the domain names are checked whether they are created by WordPress. More specifically, the response for the URL is checked: https://[domain_name]/wp-login.php.
However, not only checks for the WordPress framework are performed. On a next stage, the root index page of the domain is obtained and checked for the presence of other frameworks such as Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS. The harvested domains are also sent to the command and control server. However, this domain is different than the one for the backdoor, and it’s a hardcoded one.
“Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit in the future,” the researchers conclude.
To avoid unwanted intrusions, make sure to keep your system protected at all times.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter