Researchers encountered a previously unreported Content Management System (CMS) scanner and brute forcer written in the Go programming language. This malware was being described in several online forums as being installed in compromised WordPress sites.

The researchers have dubbed the malware GoTrim, in reference to perhaps one of the most popular WordPress plugins: GoTrim. It is actually named after the malware’s command line interface (CLI): cmd/go-trim. Once installed in a WordPress website, this malware is capable of maliciously modifies files and registry entries on that site. It also has capabilities to update itself when versions are released, adding new capabilities to it along the way.

GoTrim has been active since Jul 2018 and has been found on hundreds of websites since then.

The botnet scanner by default scans for WORDPRESS/.htaccess in the root but can be configured to scan for any filename in the root directory. Upon scanning, the botnet scanner prints out all directories, files and permissions on that domain.

‍

Source: GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites - AlienVault - Open Threat Exchange