A torrent file is being used to infect unsuspecting users with malware that conducts a distributed password attack against WordPress-powered websites.
The dangers of torrenting are by no means new. In this particular campaign, a user searches to download a movie or software without paying for it. Their favorite search engine yields some relevant files. But the sites hosting them don’t have anything to do with seeding torrent files.
Provided below is one example of these search results, if you happened to be hunting for a torrent of “Baywatch 2017”:
But what if a user really wanted to watch “Baywatch (2017)” now? They might go ahead and click on one of the links. ESET’s research team explains in a blog post what happens next:
“When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.”
Upon successful installation, Sathurbot retrieves its command and control (C&C). It can use this server to update itself. It can also run other malicious executables like Kovter and Fleercivet on the victim’s computer.
But that’s not all this malware can do.
The backdoor trojan comes with more than 5,000 generic words that it combines into two-four word query string. It then searches for this query using a search engine like Google and harvests all domain names it finds on the first three pages of search results. At that time, it checks to see if the site is powered by WordPress by testing the URL
http://[domain_name]/wp-login.php for each domain. Every domain that fits the bell moves onto the next round: a password attack involving WordPress’s XML-RPC API.
ESET elaborates on this second-stage technique:
“The client is now ready to get a list of domain access credentials (formatted as
login:password@domain) to probe for passwords. Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future.”
Assuming the malware successfully compromises the site, Sathurbot uses the
libtorrent library to force the WordPress website to download a binary file, create a torrent, and seed it. This completes the infection cycle and helps the trojan reach even more potential victims.
To protect against this campaign, users should probably think twice before downloading a file from anyone other than a respected developer - especially sites that don’t appear to have anything to do with torrenting. At the same time, web admins should consider disabling XML-RPC on their WordPress website and use strong passwords.