Often, the first place where cybercriminals look to penetrate a machine running Windows is via Microsoft’s RDP (Remote Desktop Protocol). One of the most significant Windows OS vulnerabilities to be unveiled in the past few months is BlueKeep. Exploiting this vulnerability would potentially enable malware to spread laterally and amplify its reach and the harm it causes greatly. Recently, the Remote Desktop Protocol has been targeted by cyber crooks again and much to the surprise of malware experts, the attackers have not exploited the BlueKeep vulnerability. This latest campaign is remarkable in its scale, but the cybercriminals have decided to keep it simple this time.
The activity of a huge botnet was spotted by cybersecurity experts recently. The botnet in question is called GoldBrute. The GoldBrute botnet locates RDP-enabled Windows Servers using the Shodan.io search engine. The attackers have compiled a list of likely usernames and passwords and have programmed their threat to attempt to log in the targeted servers using these login credentials in an attempt to gain access via brute force attack. Then, if this technique gives positive results, the compromised machine will become a part of this large botnet and in turn, continue the operation of spreading this threat.
In an attempt to ensure that the GoldBrute botnet’s activity remains under the radar of security features protecting servers from brute-force attacks, the attackers have programmed the threat to only trying to log in once per targeted PC. This makes it much less likely that it will get flagged for suspicious behavior. The scanner of Shodan.io finds 2,400,000 million servers that run an accessible RDP service approximately. About 1,600,000 of those might have already become the target of GoldBrute's attack. It has not been confirmed what the purpose of this botnet is, but it is evident that the creators of the GoldBrute botnet have no intentions of stopping any time soon.
Researchers found the only command and control server using Goldbrute uses is the IP address 22.214.171.124, which shows a location in New Jersey in the United States. The code of Trojan.GoldBrute botnet is around a hefty 80 MB of data, which also includes its entire Java Runtime.
Systems suffering from a GoldBrute infection begin scanning for any hosts with exposed RDP servers, reporting back to their command and control server using the encrypted WebSocket link to port 8333. Once the bot sends off addresses from 80 victims, the command and control server picks targets the bot then brute forces. The bot will only use one pair of username and password for each of the targets.
This is a likely tactic used to coordinate brute force attacks on targets once the victim sees login attempts coming from different addresses. Authentication downloads the Trojan.GoldBrute code and the Java Runtime, both packed inside a ZIP archive.
Once the archive is uncompressed, it proceeds to run 'bitcoin.dll', a jar file that poses as a dll.
Do You Suspect Your PC May Be Infected with GoldBrute & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like GoldBrute as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.