Researchers at Fortinet are the first to analyze and report on the GoTrim botnet, though it is well known in cybercrime communities. The earliest sample discovered by Fortinet was from September 2022, and the campaign is still ongoing. Created using the Go programming language, GoTrim is cross-compiled to support Windows and Linux systems. Fortinet believes that GoTrim was developed on Windows but has only been observed targeting Linux based WordPress and OpenCart instances.
The GoTrim botnet grows by scanning the Internet for WordPress and OpenCart instances, and brute forcing their admin login pages when found. Once a successful login is achieved, the bot is installed and reports back to the threat actor’s Command and Control (C2) server and awaits further commands. GoTrim appears to use PHP scripts to download and execute the payload binary on GoTrim clients (victim hosts). Finally, once the malware is up and running, the PHP script and payload binary are deleted from the infected system. At this time, there appears to be no persistence mechanism to reinfect compromised hosts.
According to Fortinet, GoTrim supports the following commands:
- 1: Validate provided credentials against WordPress domains
- 2: Validate provided credentials against Joomla! domains (currently not implemented)
- 3: Validate provided credentials against OpenCart domains
- 4: Validate provided credentials against Data Life Engine domains (currently not implemented)
- 10: Detect WordPress, Joomla!, OpenCart, or Data Life Engine CMS installation on the domain
- 11: Terminate the malware