Researchers spotted a backdoor trojan that uses torrents as a delivery medium and uses distributed brute force attacks to exploit weak WordPress administrator accounts as well as an infection that injects malicious code into .js files.
Dubbed, Sathurbot, the trojan is disguised in a software torrent containing an apparent installer executable and a small text file which both have the objective of enticing the victim to run the executable which loads the Sathurbot DLL, according to an April 6 blog post.
The trojan can update itself as well as download and start other executables and comes with some 5,000 puls generic word that are randomly combines to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines, the post said.
Researchers said the obfuscated code can be recognized by the hex-encoded strings and is usually appended to the legitimate content of the files, according to an April 4 blog post.
On some sites, the infections install several malicious themes and plugins that appear to be auto-generated using a limited dictionary of terms and rules.
The script also looks to identify the root directory of all the sites that share the same account, or even server and then recursively scans all the nested directories and sites for writeable .js files in order to maximize the infection surface, researchers said in the post.
As per usual, researchers recommended the use of strong passwords and that users ensure all of their devices and programs are up to date.