SS7
GoTrim Botnet Brute Forces WordPress Site Administration Accounts
GoTrim, a new botnet malware that is Go-based, scans the internet for self-hosted WordPress sites and attempts to take control.
The compromise could lead to malware distribution, credit card theft script injection, host of phishing pages and other attacks, which can potentially have a devastating impact on millions, depending on how popular the compromised sites are.
Although the botnet is well-known in cybercrime underground circles, was the first to examine it. It reported that although the malware remains in development, the company already has powerful capabilities.
GoTrim Botnet targets WordPress Sites
Fortinet discovered the GoTrim malware attack in September 2022. It is ongoing.
Operators of the malware feed long lists of targeted websites along with a list of login credentials to the botnet. After connecting to the sites, the malware attempts to hack into admin accounts by using the credentials.
GoTrim logs into the compromised site to report the infection (C2) and a bot ID, in the form a MD5 hash, if successful.
The malware then uses PHP scripts for fetching GoTrim clients using a hardcoded URL. It deletes the script as well the brute-forcing components from infected systems, since they are not needed anymore.
Two modes of operation can be used by the botnet: client and server.
The malware initiates the connection to botnet’s C2 in client mode. In server mode it launches an HTTP server, and waits for incoming requests.
GoTrim botnet attack chain
(Fortinet)
GoTrim defaults into server mode if the compromised endpoint is connected directly to the Internet.
GoTrim will send beacon requests to C2 each few minutes. If it doesn’t receive any response after 100 attempts, it terminates.
C2 allows you to send encrypted commands directly to GoTrim, which can support the following:
- Validate credentials for WordPress domains
- Validate your credentials with Joomla! Domains not implemented
- Validate credentials provided against OpenCart domains
- Validate credentials provided against Data Life Engine domains. (Not implemented).
- Detect WordPress, Joomla! or OpenCart installation on your domain
- Stop the malware
C2 response containing command for botnet
(Fortinet)
Evading detection
GoTrim won’t target WordPress.com sites, but will instead target only self-hosted websites to evade detection from the WordPress security team.
It does this by looking at the “Referer” HTTP header of WordPress.com and, if found, it stops targeting that site.
Researchers explain that managed WordPress hosting providers like wordpress.com have more security measures in place to detect and stop brute force attempts. This makes it less likely for self-hosted WordPress sites to be discovered.
GoTrim also mimics Firefox 64-bit Windows requests in order to bypass anti-bot protections
The malware can also detect if a targeted WordPress website uses a CAPTCHA plugin in order to block bots and load the correct solver. It currently supports seven well-known plugins.
Fortinet stated that GoTrim avoids websites hosted at 1gb.ru, but couldn’t determine why.
WordPress website owners can use strong passwords to protect themselves from the GoTrim attack.
WordPress administrators should also upgrade their base CMS software as well as all plugins to the most current version. This addresses vulnerabilities hackers could exploit for an initial compromise.