A new Golang-based brute forcer named GoTrim is scanning the internet for self-hosted WordPress websites and attempting to gain control of WordPress site admin accounts. The botnet started the campaign in September and it is still going on.

About the campaign

According to Fortinet researchers, GoTrim utilizes a bot network to perform distributed brute-force attacks against a long list of target websites.
  • On successful brute-forcing, a bot client is installed into the newly compromised system using malicious PHP scripts. 
  • It reports credentials to the C2 server, including a bot ID in the form of a newly generated MD5 hash.
  • Each PHP script fetches GoTrim bot clients from a hardcoded URL and executes it. 
  • To cover its tracks, it deletes both the script and the brute-forcing component from the infected system.

Malware behavior

  • GoTrim communicates with its C2 in two different modes: the client mode and the server mode. In client mode, it sends HTTP POST requests to the C2 server, while in server mode, it starts an HTTP server and awaits incoming requests from the C2.
  • It defaults to server mode if the infected system is directly connected to the internet, otherwise, it switches to client mode. After that, it sends beacon requests to C2, and if it fails to receive a response after 100 retries, it terminates.
  • The C2 sends encrypted commands to the GoTrim bot to identify CMSes (WordPress, Joomla, OpenCart, and DataLife Engine) on the target website and validate provided credentials against them.

Bypass techniques

  • The botnet detects and evades anti-bot techniques used by web hosting providers and CDNs, such as Cloudflare and SiteGround. 
  • The malware can mimic legitimate Firefox on 64-bit Windows requests to bypass anti-bot protections.
  • It contains code to bypass the CAPTCHA for seven popular plugins installed on WordPress websites. 
  • On successful bypass, it sends the 3GOOD brute force status, otherwise, it only reports them to the C2 server by updating the global status message.

Conclusion

Researchers have found modified variants of GoTrim, which indicate it is still a work in progress. However, it is a fully functional WordPress brute-forcer combined with its anti-bot evasion techniques, making it a noteworthy threat. WordPress site owners are recommended to use stronger administrator account passwords and upgrade the base CMS software and all active plugins on the site to the latest available version to mitigate such threats.
Cyware Publisher

Publisher

Cyware