StorageCraft Technology Corporation
X

Sathurbot Trojan Takes Aim at WordPress Sites

Global cyber security giant ESET discovered a Trojan designed to compromise sites running on the popular blogging platform WordPress. The Sathurbot backdoor exploit was first spotted in June of 2016. But it resurfaced in April 2017, this time orchestrating botnet attacks in the torrent ecosystem. Software torrents are especially ideal for malware distribution because they package the program installer in an executable file.

Sathurbot Attack, or Why You Shouldn’t Download Torrents

There’s  many reasons not to use torrent download websites, and one of them is the risk of downloading viruses or malware. Sathurbot sets the stage for a classic Trojan attack by creating a scenario that is almost too good to be true. Looking for “free”premium content? You may find exactly what you seek, yet get more than you bargained for.

In fact, Google may show relevant results on a site you’ve never used for torrents. But hey, you’re in a rush, and the content you desire is at your fingertips with plenty of seeders. The download process should zip along quickly. Little do you know, the site has been hijacked. Whether you’re looking for a good flick or the latest software, you’ll be the next victim if you continue with the process.

Torrent users unlucky enough to fire up Sathurbot’s installer automatically load the DLL file that triggers the infection. From there, you’ll get an error message, but by then it’s too late. The infection is already going to work in the background and add your machine to the Sathurbot botnet. Upon rebooting, the malware makes contact with a command-and-control server that helps it perform a number of different actions. For instance, the Trojan can report successful installations, obtain updates that give it enhanced functionality, or even download other malware onto the infected system.

Trojan Targets WordPress Without Getting Blacklisted

Some members of the Sathurbot army are designed to spread the injection. Others are instructed to launch an assault on WordPress. Armed with a huge list of domains, the attack bots target the XM-RPC API. It will attempt to breach the login interface using brute force, a simple yet effective way to crack encrypted passwords.

A single brute force attack may attempt hundreds or thousands of username and password combinations. But Sathurbot simply tries once then moves on to the next target. This way, it will prevent its IP address from being blacklisted. This way, more attacks can be attempted in the future.

Recovery and Prevention For WordPress Admins

As of this writing, Sathurbot has infected some 20,000 computers. Because the attack has been so effective, WordPress admins are urged to be on the lookout for signs of suspicious activity. Newly published pages and directories you didn’t create, or any mentions of torrent downloads in your admin panel are dead giveaways. You can also examine your server logs for any traces of an attack or backdoor. Error codes 401 and 403, which indicate failed user authentication, are among the things that might point to the presence of Sathurbot when conducting your log analysis.

The botnet element of Sathurbot is primarily web-based. This means the steps for removal and recovery are a bit different than how you’d approach a desktop attack. Here’s a few steps you can try:

As Always, Backups Can Save the Day

Remember that a good backup plan comes in handy whether your system is run locally or online. Backup vendors like StorageCraft offer complete solutions for data protection, whether you host data on-site, off-site or in hybrid environments. There’s one more thing to keep in mind, when discussing trojans.

Like most cyberattacks that rely on brute force attacks, Sathurbot has the best results on sites with weak passwords. And that not only includes WordPress, but Drupal and other platforms running an XM-RPC API. If you’re guilty of being lazy with your password strategy, now is the time to adopt something more secure.

Taking the time to come up with a password that is a little more complex and difficult to guess could be just enough to deter and convince hackers to give up – at least for the time being.

 

Categories: Uncategorized
Tags: ransomwaresathurbottrojanwordpress attacks
Contel Bradford: Contel Bradford is a professional of many trades-- aspiring screenwriter, affiliate marketer in training, published author. He excels at writing articles about internet technology, specializing in topics that range from email marketing and web hosting to social media and SEO. Learn more about this multi-talented man of mystery at contelbradford.com.