GoTrim Aggressively Brute Force WordPress Websites

GoTrim, a new botnet malware based on the Go language, was found searching the internet for self-hosted WordPress (WP) sites in an attempt to brute force admin passwords and take over websites. it was done.

Depending on the prevalence of compromised sites, this compromise could result in the following scenarios that could affect millions of people:

• Malware deployment
• Injecting scripts to steal credit cards
• Hosting phishing pages
• Other attack scenarios

Fortinet has become the first cybersecurity company to analyze a botnet well known for underground cybercrime. The malware is still in development, but the company reports that it is already proving to be powerful and has great potential.

GoTrim profile

• Botnet: GoTrim
• Platforms Affected: Linux
• Affected users: All organizations
• Impact: A remote attacker gains control of a vulnerable system
• Severity: Critical

Gotrim malware attack chain

In September 2022, Fortinet discovered a malware campaign known as GoTrim that began in September 2022 and is still ongoing.

There is a huge list of target websites and credentials supplied to botnet networks by malware operators. After connecting to each site, the botnet malware attempts a brute force attack to gain access to administrator accounts using the entered credentials.

When GoTrim detects that a site has been compromised, it will log in and report this new infection to the C2 if the hack is successful. It also contains the bot’s ID, in the form of a newly generated MD5 hash.

The malware then downloads the GoTrim bot from a hardcoded URL using a PHP script designed to run the malware. After that, it completely cleans up the infected system by removing scripts and brute force components.

There are two modes of operation that botnets can use.

Beacon requests are sent to the C2 by GoTrim every few minutes. At this point, if there is no response after 100 retries, it will automatically terminate.

malware Supported commands

Here is the list of commands supported by the malware:

• Validate provided credentials against your WordPress domain
• Validates provided credentials against Joomla! domain (not implemented)
• Validate provided credentials against the OpenCart domain
• Validate provided credentials against the Data Life Engine domain (not implemented)
• Detects WordPress, Joomla!, OpenCart, or Data Life Engine CMS installations on your domain
• terminate malware

The purpose of GoTrim is to avoid detection by the WordPress security team by only targeting self-hosted websites and not WordPress.com sites.

When this happens, the website “wordpress.com” is checked for a “Referer” HTTP header and, if detected, prevents targeted attacks against the website.

There are several steps WordPress site owners can take to mitigate the GoTrim threat. This includes implementing hard-to-brute-force passwords for admin accounts and utilizing two-factor authentication plugins.

Penetration Testing as a Service – Download Red Team and Blue Team Workspaces