Security researchers from ESET have identified a new malware called Sathurbot. It relies on malicious torrent files to spread to new victims and carries out coordinated brute-force attacks on WordPress sites.
The goal of this malware is to help criminals take over WordPress sites, which they can later use to host anything from SEO spam to malware download pages.
The infection sequence starts when users search for a movie or software torrent on search engines such as Google or Bing.
Using already hacked WordPress sites, hackers create hidden pages on these websites where they host a torrent download page. Taking advantage of the original site’s good search engine ranking, some of these results appear on top positions in the search listings.
An example of a hidden page with the download link to the malware.
Users that download the torrent will find it very well seeded and thus think it appears legitimate. The torrent will download a movie or software file, a codec pack installer, and a text file explaining to the user he has to run the codec installer first, in order to view the movie or run the EXE-file for the software.
This installer contains the Sathurbot malware. Upon execution, an error message will appear claiming an error during the download, but in reality, the Sathurbot infection has already taken place.
The remedy: removing the Sathurbot malware
To find out if your WordPress website is compromised, check for unknown subpages and/or directories on the server of your hosting provider. Also, if they contain any references to torrent download offers, check logs for attacks and possible backdoors.
Change your password and remove all subpages and/or subfolders not belonging to your website. Alternatively delete your website completely and restore from a backup.
ESET said Sathurbot is currently targeting domain names that have WordPress sites but the malware is also interested in Drupal, Joomla, PHP-NUKE, phpFox and DedeCMS sites.