GoTrim Brute Forcer Botnet Scans Internet for WordPress Sites

About the campaign

• On successful brute-forcing, a bot client is installed into the newly compromised system using malicious PHP scripts. 
• It reports credentials to the C2 server, including a bot ID in the form of a newly generated MD5 hash.
• Each PHP script fetches GoTrim bot clients from a hardcoded URL and executes it. 
• To cover its tracks, it deletes both the script and the brute-forcing component from the infected system.

Malware behavior

• GoTrim communicates with its C2 in two different modes: the client mode and the server mode. In client mode, it sends HTTP POST requests to the C2 server, while in server mode, it starts an HTTP server and awaits incoming requests from the C2.
• It defaults to server mode if the infected system is directly connected to the internet, otherwise, it switches to client mode. After that, it sends beacon requests to C2, and if it fails to receive a response after 100 retries, it terminates.
• The C2 sends encrypted commands to the GoTrim bot to identify CMSes (WordPress, Joomla, OpenCart, and DataLife Engine) on the target website and validate provided credentials against them.

Bypass techniques

• The botnet detects and evades anti-bot techniques used by web hosting providers and CDNs, such as Cloudflare and SiteGround. 
• The malware can mimic legitimate Firefox on 64-bit Windows requests to bypass anti-bot protections.
• It contains code to bypass the CAPTCHA for seven popular plugins installed on WordPress websites. 
• On successful bypass, it sends the 3GOOD brute force status, otherwise, it only reports them to the C2 server by updating the global status message.

Conclusion