A new Go-based botnet malware named ‘GoTrim’ is scanning the web for self-hosted WordPress websites and attempting to brute force the administrator’s password and take control of the site.
This compromise may lead to malware deployment, injection of credit card stealing scripts, hosting of phishing pages, and other attack scenarios, potentially impacting millions depending on the popularity of the breached sites.
The botnet is notorious in the cybercrime underground, but Fortinet became the first cybersecurity firm to analyze it, reporting that while the malware is still a work in progress, it already has potent capabilities.
GoTrim botnet targets WordPress sites
If successful, GoTrim logs in on the breached site and reports the new infection to the command and control server (C2), including a bot ID in the form of a newly generated MD5 hash.
Next, the malware uses PHP scripts to fetch GoTrim bot clients from a hardcoded URL and deletes both the script and the brute-forcing component from the infected system, as these are no longer needed.
The botnet can operate in two modes: “client” and “server.”
In client mode, the malware will initiate the connection to the botnet’s C2, while in server mode, it starts an HTTP server and awaits incoming requests from the C2.
Evading detection
To evade detection by the WordPress security team, GoTrim will not target sites hosted on WordPress.com and instead only target self-hosted sites.
This is done by checking the ‘Referer’ HTTP header for “wordpress.com,” and if detected, stops targeting the site.
“As managed WordPress hosting providers, such as wordpress.com, usually implement more security measures to monitor, detect, and block brute forcing attempts than self-hosted WordPress websites, the chance of success is not worth the risk of getting discovered,” explains the researchers.
Moreover, GoTrim mimics legitimate Firefox on 64-bit Windows requests to bypass anti-bot protections.
Finally, if the targeted WordPress site uses a CAPTCHA plugin to stop bots, the malware detects it and loads the corresponding solver. Currently, it supports seven popular plugins.
Fortinet also said that the GoTrim botnet avoids sites hosted at “1gb.ru,” but could not determine the exact reasons for doing so.
To mitigate the GoTrim threat, WordPress site owners should use strong administrator account passwords that are hard to brute-force or use a 2FA plugin.
Finally, WordPress admins should upgrade the base CMS software and all active plugins on the site to the latest available version, which addresses known vulnerabilities that hackers can leverage for initial compromise.