Sathurbot is a backdoor trojan first identified in June 2016 that primarily spreads by masquerading as pirated content via torrent files on compromised websites. In April 2017, it began spreading via torrents and formed a botnet designed to brute-force weak WordPress administrator accounts. Torrents are typically used to illegally download movie or software files. Movie file torrents contain a file with a video extension containing a codec pack installer, and an explanatory file. Software torrents contain an installer executable and a small text file. Torrent files containing the Sathurbot trojan trick victims into installing the malware component by loading the Sathurbot dynamic-link library (DLL) when the executable is launched. Once the executable initiates, victims receive an error message popup while malicious actions take place in the background. Once a computer system becomes infected, it is added as a bot in the Sathurbot botnet. When the infected system boots up, the bot communicates with its C2 server and obtains links to download additional malware. The bot reports successful installations and listening ports to the C2. Some bots perform all bot functions, including distributing the Sathurbot trojan, while some are web crawlers, instructed to attack the XM-RPC API.

WordPress website administrators are encouraged to check for unknown subpages and/or directories on the server and, if any pages contain references to torrent download offers, examine logs for attacks and possible backdoors. Users are encouraged to run a protocol analyzer to filter for http.request with no browser open, searching for GET /wp-login.php and/or POST /xmlrpc.php requests. Users can also check for files or registry entries for IoCs. To remove the trojan, website administrators should change passwords, remove subpages not belonging to the site, and consider wiping and restoring the site from a backup. Users should use a third-party file manager to find the malicious .DLL, open Process Explorer or Task Manager, kill explorer.exe and/or rundll32.exe, or delete the affected .DLL, and reboot the system. To prevent this threat, website administrators should use complex passwords and disable the XML-RPC API if it is not needed. Users should only download executable files from sources they trust, andonly download files from primary file-sharing sites.

Technical Details

  • ESET researchers detail the Sathurbot trojan, available here.