Threat Watch

Go-based Botnet GoTrim Targeting WordPress Sites

Researchers at Fortinet are the first to analyze and report on the GoTrim botnet, though it is well known in cybercrime communities. The earliest sample discovered by Fortinet was from September 2022, and the campaign is still ongoing. Created using the Go programming language, GoTrim is cross-compiled to support Windows and Linux systems. Fortinet believes that GoTrim was developed on Windows but has only been observed targeting Linux based WordPress and OpenCart instances.

The GoTrim botnet grows by scanning the Internet for WordPress and OpenCart instances, and brute forcing their admin login pages when found. Once a successful login is achieved, the bot is installed and reports back to the threat actor’s Command and Control (C2) server and awaits further commands. GoTrim appears to use PHP scripts to download and execute the payload binary on GoTrim clients (victim hosts). Finally, once the malware is up and running, the PHP script and payload binary are deleted from the infected system. At this time, there appears to be no persistence mechanism to reinfect compromised hosts.

According to Fortinet, GoTrim supports the following commands:

  • 1: Validate provided credentials against WordPress domains
  • 2: Validate provided credentials against Joomla! domains (currently not implemented)
  • 3: Validate provided credentials against OpenCart domains
  • 4: Validate provided credentials against Data Life Engine domains (currently not implemented)
  • 10: Detect WordPress, Joomla!, OpenCart, or Data Life Engine CMS installation on the domain
  • 11: Terminate the malware

ANALYST NOTES

GoTrim employs several anti-bot checks to avoid some of the less complex botnet mitigations. It uses a Mozilla Firefox user-agent with the same gzip, deflate, and Brotil content encoding algorithms. The malware also attempts to detect CAPTCHA security plugins and has the capability of solving the challenges for some of them. If it cannot bypass a security plugin, the botnet is globally updated with a “skip” for that domain. Interestingly, any website containing “1gb.ru” in the page content also receives a “skip”.
Protecting WordPress installations is crucial. As one of the most popular CMS solutions, it receives a significant amount of attention from threat actors. Users can protect their WordPress sites by using Web Application Firewalls (WAF), obfuscating admin login pages, and using strong passwords. For a more exhaustive list of security measures, wpbeginners.com has created a comprehensive guide to securing WordPress installations: https://www.wpbeginner.com/wordpress-security/

https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites