FortiGuard Labs uncovered a Go-based CMS scanner and brute-forcer named GoTrim that targets WordPress and OpenCart. It operates as a botnet for distributed brute-forcing, communicates with its C2 over encrypted channels, and can switch between client and server modes as it evolves. #GoTrim #FortiGuardLabs #WordPress #OpenCart #Joomla #DataLifeEngine
Keypoints
- GoTrim is a Go-based CMS scanner/brute-forcer uncovered by FortiGuard Labs, tied to a campaign starting in 2022 and built in Go 1.18, packed with UPX to reduce size.
- The malware uses a botnet to perform distributed brute-force attacks against WordPress and OpenCart targets, attempting logins with a set of credentials per target.
- Credential harvesting and brute-forcing are reported to be pooled via a C2 with client and server modes, where the bot ID, IPs, and task status are sent to the C2.
- GoTrim first downloads itself via a PHP downloader script, then deletes the downloader and the brute-forcer to cover tracks, without maintaining persistence.
- The campaign includes CMS detection, WordPress username enumeration, and WordPress login attempts, with potential use of WordPress XML-RPC to bypass some protections.
- Anti-bot checks are implemented to mimic legitimate traffic and detect CAPTCHA plugins, though bypass effectiveness varies; the actors continue to develop the malware.
MITRE Techniques
- [T1110] Brute Force – ‘GoTrim uses a bot network to perform distributed brute force attacks against its targets. Each bot is given a set of credentials to use to attempt to log into a long list of website targets.’
- [T1071.001] Web Protocols – ‘GoTrim can communicate with its Command and Control (C2) server in two ways: a client mode, where it sends HTTP POST requests to the Command and Control (C2 server), or a server mode, where it starts an HTTP server to listen for incoming POST requests.’
- [T1027] Obfuscated/Compressed Files and Information – ‘the malware is packed using UPX to reduce the file from 6 MB to 1.9 MB.’
- [T1105] Ingress Tool Transfer – ‘Typically, each script downloads the GoTrim malware from a hardcoded URL to a file in the same directory as the script itself and executes it.’
- [T1033] Account Discovery – ‘it attempts to gather more usernames by sending a GET request to ‘/wp-json/wp/v2/users’.’
- [T1078] Valid Accounts – ‘log in to the WordPress website using the list of usernames and the password provided in the C2 command by sending a POST request to ‘/wp-login.php’.’
- [T1041] Exfiltration Over C2 Channel – ‘After a successful login, the following information (delimited by “|”) is updated into a global status message and sent with the following request to the C2 (client mode) or in the response to incoming requests (server mode):’ (credentials, target URL, username, password, etc.)
Indicators of Compromise
- [Files] GoTrim-related file hashes – 646ea89512e15fce61079d8f82302df5742e8e6e6c672a3726496281ad9bfd8a, 4b6d8590a2db42eda26d017a119287698c5b0ed91dd54222893f7164e40cb508, c33e50c3be111c1401037cb42a0596a123347d5700cee8c42b2bd30cdf6b3be3, 71453640ebf7cf8c640429a605ffbf56dfc91124c4a35c2ca6e5ac0223f77532, 3188cbe5b60ed7c22c0ace143681b1c18f0e06658a314bdc4c7c4b8f77394729, 80fba2dcc7ea2e8ded32e8f6c145cf011ceb821e57fee383c02d4c5eaf8bbe00, De85f1916d6102fcbaceb9cef988fca211a9ea74599bf5c97a92039ccf2da5f7, 2a0397adb55436efa86d8569f78af0934b61f5b430fa00b49aa20a4994b73f4b
- [Download URLs] Download URLs – hxxp://77[.]73[.]133[.]99/taka, hxxp://77[.]73[.]133[.]99/trester, and 1 more URL
- [C2] C2 servers and endpoints – hxxp://77[.]73[.]133[.]99, hxxp://77[.]73[.]133[.]99/selects?dram=1, hxxp://77[.]73[.]133[.]99/selects?bilert=1, hxxp://77[.]73[.]133[.]99/route?index=1, hxxp://77[.]73[.]133[.]99/route?alert=1, hxxp://89[.]208[.]107[.]12, hxxp://89[.]208[.]107[.]12/selects?param=1, hxxp://89[.]208[.]107[.]12/selects?walert=1