GoTrim botnet target WordPress sites

Share post:

Fortinet Researchers from FortiGuard Labs discovered GoTrim, a novel Go-based botnet that scans and brute-forces WordPress and OpenCart websites in order to facilitate site takeovers and other attacks.

Since September 2022, a bot network has been used to publish distributed brute-force attacks in a bid to obtain control of the targeted web server. The primary goal of the malware is to receive additional commands from an actor-controlled server, such as performing brute-force attacks against WordPress and OpenCart using a set of provided credentials.

After effectively penetrating admin accounts, GoTrim uses PHP scripts to allow bot client restoration before connecting to the command-and-control server. Among the encrypted instructions sent to GoTrim include those for verifying credentials against WordPress, Joomla!, Data Life Engine, and OpenCart domains, as well as classifying and terminating malware installations on the domain.

The malware employs a bot network to launch distributed brute force attacks on targeted websites. Each bot is given a long list of target websites as well as a set of credentials for brute-force attacks.

According to the researchers, the bot does not have any code for propagation or the deployment of other payloads, and PHP scripts download and execute GoTrim bot clients. Also, the attackers use compromised credentials to deploy PHP scripts that install the GoTrim botnet, and the bot does not maintain persistence in the infected system.

GoTrim has also avoided detection by spoofing Firefox on 64-bit Windows requests and targeting self-hosted sites rather than those hosted on WordPress.com.

The sources for this piece include an article in TheHackerNews.

SUBSCRIBE NOW

Related articles

Microsoft Ends Support for Office 365 Apps on Windows 10: Hashtag Trending for Friday, January 17, 2025

Microsoft announces they won’t support  Office 365 on Windows 10, D-Wave achieves a quantum computing milestone, TikTok prepares...

Hackers Mount High Speed Microsoft 365 Attack: Cyber Security Today – January 17, 2025

Hackers exploit a high-speed Go library to target Microsoft 365 accounts worldwide, North Korea’s Lazarus group lures developers...

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways