This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts.
The torrent leecher
Looking to download a movie or software without paying for it? There might be associated risks. It just might happen that your favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing. They may, however, run WordPress and have simply been compromised.
Some examples of search results:
Clicking on some of those links returns the pages below (notice how some even use HTTPS):
The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.
After you start the executable, you are presented with a message like this:
While you ponder your options, bad things start to happen in the background. You have just become a bot in the Sathurbot network.
Backdoor and downloader
On startup, Sathurbot retrieves its C&C with a query to DNS. The response comes as a DNS TXT record. Its hex string value is decrypted and used as the C&C domain name for status reporting, task retrieval and to get links to other malware downloads.
Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list.
The Sathurbot then reports its successful installation along with a listening port to the C&C. Periodically, it reports to the C&C that it is alive and well, waiting for additional tasks.
Sathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines.
From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.
Finally, the second set of search results (up to first three pages) are harvested for domain names.
The extracted domain names are all subsequently probed for being created by the WordPress framework. The trick here is to check the response for the URL http://[domain_name]/news.php.
Afterward the root index page of the domain is fetched and probed for the presence of other frameworks. Namely, they are also interested in: Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS.
Upon startup, or at certain time intervals, the harvested domains are sent to the C&C (a different domain is used than the one for the backdoor – a hardcoded one).
Distributed WordPress password attack
The client is now ready to get a list of domain access credentials (formatted as login:[email protected]) to probe for passwords. Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future.
During our testing, lists of 10,000 items to probe were returned by the C&C.
For the attack itself, the XML-RPC API of WordPress is used. Particularly the wp.getUsersBlogsAPI is abused. A typical request looks like:
The sequence of probing a number of domain credentials is illustrated in the following figure:
The response is evaluated and results posted to the C&C.
Torrent client – seeder
The bot has the libtorrent library integrated and one of the tasks is to become a seeder – a binary file is downloaded, torrent created and seeded.
The BitTorrent bootstrap
That completes the cycle from a leecher to an involuntary seeder:
Note: Not every bot in the network is performing all the functions, some are just web crawlers, some just attack the XML-RPC API, and some do both. Also, not every bot seems to be seeding a torrent.
The above-mentioned attempts on /news.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs.
Through examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been active since at least June 2016.
Occasionally, we have seen torrent links being sent by email as well.
Web Admins – Check for unknown subpages and/or directories on the server. If they contain any references to torrent download offers, check logs for attacks and possible backdoors.
Users – Run Wireshark with the filter http.request with no web browser open to see too many requests like GET /news.php and/or POST /xmlrpc.php. Alternatively, check for files or registry entries listed in the IoC section, below.
ESET users are protected from this threat on multiple levels.
Web Admins – Change passwords, remove subpages not belonging to site, optionally wipe and restore the site from a backup.
Users – Using a third-party file manager find the suspect .DLL (note that the files and directories have the hidden attribute set), open Process Explorer or Task Manager, kill explorer.exeand/or rundll32.exe, delete (quarantine) the affected .DLL, reboot.
Note: this will remove Sathurbot only, and not any other malware it may have also downloaded.
Alternatively, consider a comprehensive anti-malware product, or at least an online scanner.
Web Admins – Should the normal functioning of the website not require the XML-RPC API, you are advised to disable it and use complex passwords.
Users – Avoid both running executables downloaded from sources other than those of respected developers, and downloading files from sites not designed primarily as file-sharing sites.
Currently, we have observed Sathurbot installing to: