GoTrim botnet actively brute forces WordPress and OpenCart sites

Researchers discovered a new Go-based botnet, dubbed GoTrim, attempting to brute force WordPress websites.

Fortinet FortiGuard Labs researchers spotted a new Go-based botnet, dubbed GoTrim, that has been spotted scanning and brute-forcing WordPress and OpenCart websites. The botnet was named GoTrim because it was written in Go and uses “:::trim:::” to split data sent and received from the C2 server.

The campaign has been active since at least September 2022 and according to the experts, it is still ongoing.   

The malware uses a bot network to perform distributed brute force attacks against target websites. Each bot is given a long list of target websites and a set of credentials to use in brute-force attacks.

“After a successful login, a bot client is installed into the newly compromised system. It then awaits further commands from the threat actors, thereby expanding the bot network.” reads the report published by Fortinet. “GoTrim only reports credentials to the C2 server after a successful brute force attempt.”

The bot lacks any code for propagation or the deployment of other payloads. The experts noticed PHP scripts that download and execute GoTrim bot clients. The researchers speculate the attackers are abusing compromised credentials to deploy PHP scripts to install the GoTrim botnet. The analysis also revealed that the bot does not maintain persistence in the infected system.

“Typically, each script downloads the GoTrim malware from a hardcoded URL to a file in the same directory as the script itself and executes it.” continues the report. “To cover its tracks, both the downloader script and GoTrim brute forcer are deleted from the infected system. It does not maintain persistence in the infected system.”

The GoTrim bot can work in both server and client mode; in the server mode, the bot starts a server to listen for incoming requests from the command-and-control (C2) server, while in a client mode, it sends HTTP POST requests to the C2 server.

C2 communications are encrypted using the Advanced Encryption Standard in Galois Counter Mode (AES-GCM) with a key derived from a passphrase embedded in the malware binary.

Once the bot ID is generated, GoTrim creates an asynchronous Go routine that sends a beacon request to the C2 server on both client and server modes.

GoTrim is able to detect anti-bot techniques used by web hosting providers and CDNs, such as Cloudflare and SiteGround, and evade some of their checks.

The bot tries to mimic legitimate requests from Mozilla Firefox on 64bit Windows to bypass anti-bot solutions.

“Although this malware is still a work in progress, the fact that it has a fully functional WordPress brute forcer combined with its anti-bot evasion techniques makes it a threat to watch for—especially with the immense popularity of the WordPress CMS, which powers millions of websites globally.” concludes the report. “Brute-forcing campaigns are dangerous as they may lead to server compromise and malware deployment. To mitigate this risk, website administrators should ensure that user accounts (especially administrator accounts) use strong passwords. Keeping the CMS software and associated plugins up to date also reduces the risk of malware infection by exploiting unpatched vulnerabilities.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]