Movie piracy is alive and well—as are the bad actors that look to prey on the pirates.
ESET has uncovered a new ecosystem for the Sathurbot backdoor Trojan, consisting of more than 20,000 infected computers. This iteration has been active since at least June 2016, and is mainly using illegal torrents as a delivery medium, especially pirated film downloads. It’s also brute-forcing weak WordPress administrator passwords to aid in its distribution efforts.
“It just might happen that your favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing,” explained the researchers, in an analysis. “They may, however, run WordPress and have simply been compromised.”
ESET found that the film-lure subpages all lead to the same torrent file; and, there are a number of pages for fake software downloads that are part of the campaign that lead to another file. In both cases, the perpetrators have taken steps to be stealthy and not tip off the target.
“When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate,” the researchers said. “If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice [get] the victim to run the executable which loads the Sathurbot DLL.”
If the target starts the executable, his or her machine becomes a bot in the Sathurbot network. From there, Sathurbot can update itself, and download and start other executables for malware, including Boaxxe, Kovter and Fleercivet. Mostly it sets about compromising more websites in a propagation effort.
ESET found that Sathurbot for now is primarily harvesting domain names that have WordPress sites; but it’s also interested in Drupal, Joomla, PHP-NUKE, phpFox and DedeCMS. Once it’s identified appropriate sites, it probes for domain access credentials (formatted as login:password@domain).
“Different bots in Sathurbot’s botnet try different login credentials for the same site,” the researchers explained. “Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future.”
The idea of course is to compromise as many sites—and therefore end users—as possible, creating a large botnet that’s primed and ready to deliver whatever malicious payload that for-hire clients would like.
ESET recommends that web admins check for unknown subpages and/or directories on their servers; if they contain any references to torrent download offers, check logs for attacks and possible backdoors. They should change passwords, remove subpages not belonging to site, and optionally wipe and restore the site from a backup.