GoTrim Actively Brute Forces WordPress

GoTrim, a new botnet malware that is based on the Go language has been spotted searching the internet for self-hosted WordPress (WP) sites in an attempt to brute force the admin’s password and take over the website.

Depending on the vogue of the sites that are breached, this compromise may result in the following scenarios that could potentially affect millions:-

  • Malware deployment
  • Injection of credit card-stealing scripts
  • Hosting of phishing pages
  • Other attack scenarios

Fortinet became the first cybersecurity company to analyze the botnet, which is well known in the cybercrime underground. Although the malware is still under development, the company reported that the malware has already proven to be powerful and has great potential.

GoTrim Profile

  • Botnet: GoTrim
  • Affected Platforms: Linux
  • Impacted Users: Any organization
  • Impact: Remote attackers gain control of the vulnerable systems
  • Severity Level: Critical

GoTrim Malware Attack Chain

In September 2022, Fortinet spotted a malware campaign known as GoTrim that began September 2022 and is still going on today.

There is a large list of target websites and credentials that is fed to the botnet network by the malware’s operators. Upon connecting to each site, the botnet malware attempts to brute-force the admin accounts in order to gain access to them by using the inputted credentials.

When GoTrim detects that a site has been breached, it logs in and reports this new infection to the C2 if the hack is successful. An ID for the bot is included as well, and it takes the form of an MD5 hash that is generated newly.

Thereafter, the malware downloads GoTrim bots from a hardcoded URL by using PHP scripts designed to run the malware. Afterward, it completely cleans the infected system by deleting the script and the brute-force component.

There are two modes of operation that can be used by the botnet:-

  • client
  • server

Beacon requests are sent to C2 by GoTrim every couple of minutes, and at this point, if there is no response after 100 retries, then it automatically terminates itself.

Malware Supported Commands

Here is a list of commands that the malware supports:

  • Validate provided credentials against WordPress domains
  • Validate provided credentials against Joomla! domains (not implemented)
  • Validate provided credentials against OpenCart domains
  • Validate provided credentials against Data Life Engine domains (not implemented)
  • Detect WordPress, Joomla!, OpenCart, or Data Life Engine CMS installation on the domain
  • Terminate the malware

The goal of GoTrim is to evade detection by the WordPress security team by targeting only self-hosted websites, rather than WordPress.com sites.

When this happens, the ‘Referer’ HTTP header of the website “wordpress.com” is checked, and if this is detected, targeted attacks are stopped against the website.

There are a few steps WordPress site owners can take to mitigate the GoTrim threat, which include implementing hard-to-brute-force passwords on their administrator accounts or utilizing two-factor authentication plugins.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.