The GoTrim botnet is a Go language-based brute-force entity that currently scans the internet for self-hosted WordPress websites to take over WordPress admin accounts. Based on reports, this botnet began its campaign last September and has been on a tear ever since.
Researchers say GoTrim uses a bot network to execute distributed brute-force attacks against numerous targeted websites. Once an attack is successful, the actors install a bot client to the infected system through malicious PHP scripts.
Subsequently, it reports credentials to its command-and-control server. The credentials include a bot ID in the form of a newly developed MD5 hash. Additionally, each PHP script retrieves GoTrim bot clients from a hardcoded URL and runs it. It then removes both the script and the brute-forcing tool from the compromised system to avoid getting analysed by threat researchers.
The GoTrim botnet has a couple of ways to contact its C2 server.
Researchers said that the GoTrim botnet communicates with its command-and-control server in two different methods. The communication method for the botnet is called client mode and server mode.
In client mode, the botnet sends an HTTP POST request to its command-and-control server, starts an HTTP server, and waits for incoming requests from the C2. The botnet will return to server mode if the compromised network is directly linked to the internet.
However, if the botnet fails to fetch a response from the C2 request, it will automatically stop the action.
The command-and-control server sends encrypted commands to the GoTrim brute-force botnet to identify CMSes to websites from WordPress, OpenCart, Joomla, and DataLife Engine. This method allows the botnet operators to validate the stolen credentials within the targeted website.
Numerous researchers have discovered altered variants of the GoTrim botnet, implying that the malicious entity is still developing. Unfortunately, this botnet still poses a significant threat since it is a fully functional WordPress brute-force with an anti-bot evasion mechanism.
Experts recommend that WordPress website owners use stronger administrator account passwords, fortify the base CMS software, and update all active plugins on the website to the latest version to lessen the effects of such threats.
