FortiGuard Labs researchers have uncovered a malicious campaign in which a new Golang-based botnet hacks WordPress sites to take control of targeted systems.
The new brute force method is part of a campaign that analysts have named GoTrim because it was written in Go and uses the string ‘:::trim:::’ to separate data sent to and from the C&C server.
The GoTrim campaign has been tracked since September 2022 and uses a botnet network to carry out DDoS attacks when trying to log into the target web server. After the hack, the operator installs a PHP loader script on the compromised host, which is designed to deploy a "client bot" from a hard-coded URL, adding the machine to the botnet.
GoTrim is not capable of self-propagating, delivering other malware, or remaining persistent on an infected system. The main goals of GoTrim:
- receiving further commands from the C&C server;
- conducting brute force attacks on WordPress and OpenCart using a set of provided credentials;
- operation in server mode, when malware launches a server to listen for incoming requests sent by an attacker (only if the compromised system is directly connected to the Internet);
- imitation of legitimate Mozilla Firefox browser requests on a 64-bit version of Windows to bypass protection against bots;
- bypass CAPTCHA protection on WordPress sites.
When multiple pieces of device information are sent to the C&C server, the fields are separated by the string ":::trim:::", hence the campaign name.
“While this malware is still under development, the fact that it has a fully functional WordPress brute-force tool, combined with its bot evasion techniques, makes it very dangerous,” the researchers say.
Brute force attacks can compromise the server and deploy malware. To mitigate this risk, website administrators should ensure that user accounts (especially administrator accounts) use strong passwords.