A new Trojan was discovered recently, and this is a bad news for all of those who use torrents. A Trojan called Sathurbot hides in torrent files, infects computers and steals WordPress passwords.
More than a quarter of websites on the Internet are using WordPress, and that makes the CMS tool the largest and most supported tool in the field, and with that in mind, a good security is not optional. There are several layers of protection that are being used, like authentication barriers, with administrator powers and logins that are available. Still, WordPress cannot do much if the user is the one that compromises the device.
A Trojan called Sathurbot was recently discovered and was being investigated by Eset, a cybersecurity company. This is a malware that was discovered hiding in the torrent files, mostly the most popular ones, with high chances of being downloaded, which is a pretty safe bet considering the popularity of the entertainment content downloading. Once the infected file was downloaded, Sathurbot continues its work by compromising user’s WordPress account.
Most of the users whose WordPress was infected were only searching for a movie by typing a movie title and “torrent” next to each other, and so they got many options to choose from, and many of those options were probably already infected with Sathurbot.
In the example that Eset has provided, many of the hosting pages have tried to lure in the users and trick them into downloading the same file. There’s one file for all the movie subpages, and the other for all the software subpages.
Eset’s security expert, Urban Schrott, has stated that the files appear to be legitimate and that they’re well seeded which is, of course, not the case.
The movie file contains a video and a codec pack installed, and also a text file that’s supposed to provide an explanation on what to do next.
The software file contains a similar text file and an installer executable. Both installers actually contain Sathurbot DLL that activates after the unsuspecting victim runs them.
After running the .exe files, that’s it, Sathurbot takes control and the user is doomed. Sathurbot gains the ability to download additional malware, and the infected computers become leechers. Sathurbot can even update itself, download more executables and run them by itself, says Schrott. He also said that variations of Kovter, Boaxxe, and Fleercivet were also noticed, but that’s probably not the completed list and more are expected to also be there.
In addition to this primary attack, Sathurbot also tries to gain as many domain access credentials as possible, and the WordPress is the first on the list of its targets.
The only way to prevent this is to be extra careful where you get your files from and to avoid running executable from unknown sources.