New GoTrim botnet brute forces WordPress site admin accounts

A new Go-based botnet malware named 'GoTrim' is scanning the web for self-hosted WordPress websites and attempting to brute force the administrator's password and take control of the site.

This compromise may lead to malware deployment, injection of credit card stealing scripts, hosting of phishing pages, and other attack scenarios, potentially impacting millions depending on the popularity of the breached sites.

The botnet is notorious in the cybercrime underground, but Fortinet became the first cybersecurity firm to analyze it, reporting that while the malware is still a work in progress, it already has potent capabilities.

GoTrim botnet targets WordPress sites

The GoTrim malware campaign spotted by Fortinet started in September 2022 and is still ongoing.

The malware's operators feed a long list of target websites and a set of credentials to the botnet network. The malware then connects to each site and attempts to brute-force the admin accounts using the inputted credentials.

If successful, GoTrim logs in on the breached site and reports the new infection to the command and control server (C2), including a bot ID in the form of a newly generated MD5 hash.

Next, the malware uses PHP scripts to fetch GoTrim bot clients from a hardcoded URL and deletes both the script and the brute-forcing component from the infected system, as these are no longer needed.

The botnet can operate in two modes: "client" and "server." 

In client mode, the malware will initiate the connection to the botnet's C2, while in server mode, it starts an HTTP server and awaits incoming requests from the C2.

GoTrim botnet attack chain (Fortinet)

 

If the breached endpoint is directly connected to the internet, then GoTrim defaults to server mode.

GoTrim sends beacon requests to C2 every couple of minutes, and if it fails to receive a response after 100 retries, it terminates.

The C2 can send encrypted commands to the GoTrim bot, which supports the following:

• Validate provided credentials against WordPress domains
• Validate provided credentials against Joomla! domains (not implemented)
• Validate provided credentials against OpenCart domains
• Validate provided credentials against Data Life Engine domains (not implemented)
• Detect WordPress, Joomla!, OpenCart, or Data Life Engine CMS installation on the domain
• Terminate the malware

Evading detection

To evade detection by the WordPress security team, GoTrim will not target sites hosted on Wordpress.com and instead only target self-hosted sites.

This is done by checking the 'Referer' HTTP header for "wordpress.com," and if detected, stops targeting the site.

"As managed WordPress hosting providers, such as wordpress.com, usually implement more security measures to monitor, detect, and block brute forcing attempts than self-hosted WordPress websites, the chance of success is not worth the risk of getting discovered," explains the researchers.

Moreover, GoTrim mimics legitimate Firefox on 64-bit Windows requests to bypass anti-bot protections.

Finally, if the targeted WordPress site uses a CAPTCHA plugin to stop bots, the malware detects it and loads the corresponding solver. Currently, it supports seven popular plugins.

Fortinet also said that the GoTrim botnet avoids sites hosted at "1gb.ru," but could not determine the exact reasons for doing so.

To mitigate the GoTrim threat, WordPress site owners should use strong administrator account passwords that are hard to brute-force or use a 2FA plugin.

Finally, WordPress admins should upgrade the base CMS software and all active plugins on the site to the latest available version, which addresses known vulnerabilities that hackers can leverage for initial compromise.