Often, the first place where cybercriminals look to penetrate a machine running Windows is via Microsoft’s RDP (Remote Desktop Protocol). One of the most significant Windows OS vulnerabilities to be unveiled in the past few months is BlueKeep. Exploiting this vulnerability would potentially enable malware to spread laterally and amplify its reach and the harm it causes greatly. Recently, the Remote Desktop Protocol has been targeted by cyber crooks again and much to the surprise of malware experts, the attackers have not exploited the BlueKeep vulnerability. This latest campaign is remarkable in its scale, but the cybercriminals have decided to keep it simple this time.
The activity of a huge botnet was spotted by cybersecurity experts recently. The botnet in question is called GoldBrute. The GoldBrute botnet locates RDP-enabled Windows Servers using the Shodan.io search engine. The attackers have compiled a list of likely usernames and passwords and have programmed their threat to attempt to log in the targeted servers using these login credentials in an attempt to gain access via brute force attack. Then, if this technique gives positive results, the compromised machine will become a part of this large botnet and in turn, continue the operation of spreading this threat.
In an attempt to ensure that the GoldBrute botnet’s activity remains under the radar of security features protecting servers from brute-force attacks, the attackers have programmed the threat to only trying to log in once per targeted PC. This makes it much less likely that it will get flagged for suspicious behavior. The scanner of Shodan.io finds 2,400,000 million servers that run an accessible RDP service approximately. About 1,600,000 of those might have already become the target of GoldBrute's attack. It has not been confirmed what the purpose of this botnet is, but it is evident that the creators of the GoldBrute botnet have no intentions of stopping any time soon.
Researchers found the only command and control server using Goldbrute uses is the IP address 220.127.116.11, which shows a location in New Jersey in the United States. The code of Trojan.GoldBrute botnet is around a hefty 80 MB of data, which also includes its entire Java Runtime.
Systems suffering from a GoldBrute infection begin scanning for any hosts with exposed RDP servers, reporting back to their command and control server using the encrypted WebSocket link to port 8333. Once the bot sends off addresses from 80 victims, the command and control server picks targets the bot then brute forces. The bot will only use one pair of username and password for each of the targets.
This is a likely tactic used to coordinate brute force attacks on targets once the victim sees login attempts coming from different addresses. Authentication downloads the Trojan.GoldBrute code and the Java Runtime, both packed inside a ZIP archive.
Once the archive is uncompressed, it proceeds to run 'bitcoin.dll', a jar file that poses as a dll.