Sathurbot Botnet

The botnet is made up of 20,000 bots and crawls the internet in search for domain names that can be probed to install malicious links onto webpages. i.e if _/wp-login.php _is present.

A list of popular logins is used by the botnet to brute force WordPress sites. Every botnet only attempts a single login per site and then moves on, this ensures that the bot doesn’t get its IP address blacklisted.

Sathurbot grows by enticing users to download supposed pirated content, typically movies or software, via torrent files present on the compromised WordPress pages. Once the torrent link is clicked the botnet downloads these files on to the user's device. Downloading and starting the executable will trigger pop-up windows saying that there is an error with the file. However this is a diversion as in the background, the malware is installed, contacts a C&C server, and awaits instructions. This device is now part of the botnet and the process keeps going.

At the time of publication there isn’t any known motive for the creators of the botnet, however the botnet may install specific malware onto the bots to eventually generate a large attack.