GoldBrute is the name of a new botnet which is currently scanning the internet and attempting to locate poorly protected Windows machines with RDP (Remote Desktop Protocol) connection enabled.
The botnet was discovered by security researcher Renato Marinho of Morphus Labs who says that it has been attacking 1,596,571 RDP endpoints. This number is expected to rise in the coming days.
GoldBrute Botnet Attacks Explained
Currently, the GoldBrute botnet is bruteforcing a list of about 1.5 million RDP servers exposed to the Internet, the researcher says. It’s important to mention that Shdoan lists about 2.4 million exposed servers, and GoldBrute is deploying its own list. The botnet is actively extending the list as it continues to scan.
The first step of a GoldBrute attack is bruteforcing Windows systems and gaining access through the RDP. Then the botnet downloads a .zip file which contains the malicious GoldBrute code, and starts scanning the internet for new RDP endpoints which are still not included in its own list.
Once it discovers 80 new RDP endpoints, the botnet is sending the list of IP addresses to its remote command-and-control server. Infected systems then receive a list of IP addresses ready for bruteforcing. Each IP address gets only one combination of username and password for the bot to attempt authentication. There’s a different combination for each bot.
Once all of the conditions are above met, the bot performs the bruteforce attack and reports the results back to its command and control server.
Renato Marinho’s analysis of GoldBrute’s code made it possible for him to manipulate the code to make it save all “host + username + password” combinations on the lab machine:
After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase, the researcher said in his report.
The researcher was also able to geolocate and plot all the addresses in a global world map by using an ELK stack.
In conclusion, even though GoldBrute is not that impressive in its attack mechanism, it is unique in the way it performs the bruteforce operation as it helps it remain undetected.