GoldBrute Botnet Is Bruteforcing 1,596,571 RDP Endpoints
NEWS

GoldBrute Botnet Is Bruteforcing 1,596,571 RDP Endpoints

GoldBrute is the name of a new botnet which is currently scanning the internet and attempting to locate poorly protected Windows machines with RDP (Remote Desktop Protocol) connection enabled.

The botnet was discovered by security researcher Renato Marinho of Morphus Labs who says that it has been attacking 1,596,571 RDP endpoints. This number is expected to rise in the coming days.



GoldBrute Botnet Attacks Explained

Currently, the GoldBrute botnet is bruteforcing a list of about 1.5 million RDP servers exposed to the Internet, the researcher says. It’s important to mention that Shdoan lists about 2.4 million exposed servers, and GoldBrute is deploying its own list. The botnet is actively extending the list as it continues to scan.

The first step of a GoldBrute attack is bruteforcing Windows systems and gaining access through the RDP. Then the botnet downloads a .zip file which contains the malicious GoldBrute code, and starts scanning the internet for new RDP endpoints which are still not included in its own list.

Once it discovers 80 new RDP endpoints, the botnet is sending the list of IP addresses to its remote command-and-control server. Infected systems then receive a list of IP addresses ready for bruteforcing. Each IP address gets only one combination of username and password for the bot to attempt authentication. There’s a different combination for each bot.

Related:
The StealthWorker malware is coded in Golang ? the programming language used to create the module that controlled Mirai bots,
StealthWorker Brute Force Malware Attacks Both Linux and Windows.

Once all of the conditions are above met, the bot performs the bruteforce attack and reports the results back to its command and control server.

Renato Marinho’s analysis of GoldBrute’s code made it possible for him to manipulate the code to make it save all “host + username + password” combinations on the lab machine:

After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase, the researcher said in his report.

The researcher was also able to geolocate and plot all the addresses in a global world map by using an ELK stack.
In conclusion, even though GoldBrute is not that impressive in its attack mechanism, it is unique in the way it performs the bruteforce operation as it helps it remain undetected.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...