December 15, 2022

Fortinet Researchers from FortiGuard Labs discovered GoTrim, a novel Go-based botnet that scans and brute-forces WordPress and OpenCart websites in order to facilitate site takeovers and other attacks.

Since September 2022, a bot network has been used to publish distributed brute-force attacks in a bid to obtain control of the targeted web server. The primary goal of the malware is to receive additional commands from an actor-controlled server, such as performing brute-force attacks against WordPress and OpenCart using a set of provided credentials.

After effectively penetrating admin accounts, GoTrim uses PHP scripts to allow bot client restoration before connecting to the command-and-control server. Among the encrypted instructions sent to GoTrim include those for verifying credentials against WordPress, Joomla!, Data Life Engine, and OpenCart domains, as well as classifying and terminating malware installations on the domain.

The malware employs a bot network to launch distributed brute force attacks on targeted websites. Each bot is given a long list of target websites as well as a set of credentials for brute-force attacks.

According to the researchers, the bot does not have any code for propagation or the deployment of other payloads, and PHP scripts download and execute GoTrim bot clients. Also, the attackers use compromised credentials to deploy PHP scripts that install the GoTrim botnet, and the bot does not maintain persistence in the infected system.

GoTrim has also avoided detection by spoofing Firefox on 64-bit Windows requests and targeting self-hosted sites rather than those hosted on WordPress.com.

The sources for this piece include an article in TheHackerNews.