A new Go-based botnet has been spotted scanning and brute-forcing self-hosted websites using the WordPress content management system (CMS) to seize control of targeted systems.
“This new brute forcer is part of a new campaign we have named GoTrim because it was written in Go and uses ‘:::trim:::’ to split data communicated to and from the C2 server,” Fortinet FortiGuard Labs researchers Eduardo Altares, Joie Salvio, and Roy Tay said.
The active campaign, observed since September 2022, utilizes a bot network to perform distributed brute-force attacks in an attempt to login to the targeted web server.
A successful break-in is followed by the operator installing a downloader PHP script in the newly compromised host that, in turn, is designed to deploy the “bot client” from a hard-coded URL, effectively adding the machine to the growing network.
images from Hacker News