The Sathurbot botnet performs coordinated brute-force attacks on WordPress-powered websites. The Sathurbot trojan, the malware used to form the botnet, is distributed via malicious torrent files downloaded from previously compromised WordPress websites. These compromised sites are usually ranked high and appear prominently in search engine results when users look for free movies or software to download. Unsuspecting users then visit the compromised site and download the torrent which ultimately contains the Sathurbot trojan hidden within a codec installer. Once the codec installer is executed, Sathurbot installs onto the victim's computer and performs a DNS query to find its first C2 server. The first C2 may instruct Sathurbot to install additional malware or perform a number of search queries. Additionally, this C2 sends the infected computer a list of over 5,000 words and the computer selects two to four words to query via Google, Bing, or Yandex, and then retrieves the first several pages of results. It then selects another set of words commonly found in that batch of search results and performs another query. Lastly, Sathurbot selects the first three search results from that batch, extracts the domain names from them, and determines whether or not those sites are built on the WordPress platform by searching for the http://domain/wp-login.php URL. If a WordPress site is found, Sathurbot sends that information to a second C2 server.

The second C2 server is responsible for coordinating brute-force attacks against additional WordPress sites. The server assigns each of the 20,000 bots in its botnet a username and password to check against each domain. If the targeted website is successfully compromised, the attackers use it to host additional torrent files and malware, SEO spam, or other C2 servers.

To prevent website compromise, the NJCCIC recommends that WordPress website administrators change their passwords and make sure they are lengthy and complex and consider implementing a two-factor authentication (2FA) solution to prevent unauthorized access.

Reporting and Technical Details:

  • April 2017: Sathurbot: Distributed WordPress Password Attack (ESET)