Be careful downloading torrents, your WordPress might get hacked

7 Apr 2017

WordPress. Image: David M G/Shutterstock

A backdoor Trojan called Sathurbot is hiding in dodgy torrent download files, infecting computers and stealing WordPress administrators’ passwords.

WordPress is used on more than one-quarter of all websites, making the CMS tool a behemoth in its field.

With this powerful position, though, comes great responsibility – security is of the utmost importance.

There are authentication barriers, with logins and administrator powers available in its back-end. However, WordPress can only do so much if users compromise things.

WordPress cyberattack

Cybersecurity company Eset investigated a Trojan called Sathurbot, a piece of malware hiding in the torrents that are growing more and more popular as downloading of entertainment content becomes mainstream. Once downloaded, WordPress accounts are compromised.

Users simply searching a movie title and ‘torrent’ are often met with dozens of options to choose from, and this is how the cyberattack thrives.

In Eset’s Sathurbot example, multiple hosting pages lure in ‘customers’. The movie subpages all lead to the same torrent file, while all the software subpages lead to a different torrent file.

“When you begin torrenting in your favourite torrent client, you will find the file is well seeded and thus appears legitimate,” said Eset cybersecurity expert Urban Schrott. However, it’s not legitimate.

The movie torrent file includes a video extension accompanied by an apparent codec pack installer and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice the victim to run the executable, which loads the Sathurbot DLL.

Once this executable file runs, the user is doomed. The Sathurbot network wins a new bot. While infected, users’ computers become unwitting leechers, with Sathurbot gaining the ability to download more malware.

“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list,” said Schrott.

Beyond this, though, it’s the way that it obtains a list of domain access credentials that appears most worrying, with WordPress being the primary target.

To counteract the spread of this cyberattack, Schrott advised: “Avoid both running executables downloaded from sources other than those of respected developers, and downloading files from sites not designed primarily as file-sharing sites.”

WordPress. Image: David M G/Shutterstock

Gordon Hunt was a journalist with Silicon Republic