GoTrim Malware Hacks WordPress Sites

GoTrim botnet hacks WordPress

Fortinet specialists have discovered a new GoTrim malware written in Go that scans the Internet for WordPress sites and brute-forces them by guessing the administrator password.

Such attacks can lead to the deployment of malware, the introduction of scripts on websites to steal bank cards, the placement of phishing pages, and other attack scenarios that potentially affect millions of users (depending on the popularity of the hacked resources).

Let me remind you that we also wrote that New Version of Truebot Exploits Vulnerabilities In Netwrix Auditor And Raspberry Robin Worm, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites.

Experts write that GoTrim is still in development, but already has powerful features. Botnet attacks began at the end of September 2022 and are still ongoing.

Malware operators provide their bots with a long list of target resources and a list of credentials, after which the malware connects to each site and tries to brute force administrator accounts using logins and passwords from the existing list.

If successful, GoTrim logs in to the hacked site and sends information about the new infection to the command and control server (including the bot ID in the form of an MD5 hash). The malware then uses PHP scripts to extract the GoTrim bot client from a hard-coded URL, and then removes both the script and the brute force component from the infected system.

Actually, GoTrim can work in two modes: “client” and “server”. In client mode, the malware initiates a connection to the botnet’s control server, while in server mode it launches an HTTP server and waits for incoming requests. For example, if a hacked endpoint is directly connected to the Internet, the malware uses server mode by default.

GoTrim botnet hacks WordPress

GoTrim sends requests to the attacker’s server every few minutes, and if the bot does not receive a response after 100 attempts, it will stop working.

The C&C server can send the following encrypted commands to GoTrim:

  1. check provided credentials for WordPress domains;
  2. check provided credentials for Joomla! (not yet implemented);
  3. check provided credentials for OpenCart domains;
  4. verify provided credentials for Data Life Engine domains (not yet implemented);
  5. detect installations of CMS WordPress, Joomla!, OpenCart or Data Life Engine in the domain;
  6. eliminate malware.

Interestingly, the botnet tried to avoid the attention of the WordPress security team and did not attack sites hosted on, only targeting sites with their own servers. This is implemented by checking the Referer HTTP header for “”.

Managed WordPress hosting providers like usually have more security measures in place to track, detect, and block brute force attempts than self-hosted sites. Therefore, a potentially successful attack is not worth the risk of detection.the researchers explain.

It is also noted that if the target site uses a CAPTCHA plugin to fight bots, the malware will detect it and download the appropriate solver. GoTrim currently supports seven popular CAPTCHA plugins.

In addition, experts noticed that the botnet avoids attacking sites hosted on, but the exact reasons for this behavior have not been established, although it is very possible that the hackers who created the malware are simply in Russia, but are looking for an opportunity to launder money.

To protect against GoTrim and other similar threats, experts recommend that site administrators use strong passwords, do not reuse passwords, and always use two-factor authentication, if possible.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *