GoldBrute Botnet is targeting over 1.5 million RDP servers

A new botnet called GoldBrute, scanning random IP addresses to detect more than 1.5 million RDP servers vulnerable. Like other botnets, GoldBrute does not use weak passwords, nor does it use duplicate passwords in data breaches. Instead, it uses its own username and password list to launch brute force attacks.

Security researchers at Morphus Labs detected an ongoing malicious attack controlled by a C&C server, and the communication between the botnets communicated via port 8333 using the symmetric encryption algorithm AES. The bot first scans the Internet for Windows hosts that expose Remote Desktop Protocol services. “An infected system will first be instructed to download the bot code. The download is very large (80 MBytes) and includes the complete Java Runtime. The bot itself is implemented in a Java class called GoldBrute”. Once it finds the host, it reports to the C&C server that if 80 new victims are reported, the C&C server will assign a target to launch a brute force attack.

It is worth noting that each bot only tries a username and password on the target to avoid detection. This may be a security tool’s strategy because each authentication attempt comes from a different address. Once the attack is successful, it will download the zip archive, unzip it and run a jar file named “bitcoin.dll.” Then, the new bot starts scanning the open RDP server on the Internet. If it finds a new IP, it will continue to report to the C&C server. Once it reaches 80 RDP servers, the C&C server will assign a set of targets to the new bot. During the violent attack phase, the bot will continuously obtain a username and password combination from the C&C server.

The researchers tested the bot in a lab environment and received 2.1 million IP addresses from the C2 server after 6 hours, of which 1,159,571 were unique.