GoldBrute Botnet Attacking RDP Servers

bot ddos

A new botnet, GoldBrute, is making rounds on Windows systems running Remote Desktop Protocol (RDP).  Renato Mainho, security researcher at Morphus Labs discovered the botnet and found that more than 1.5 million RDP endpoints.  GoldBrute has hit systems are located across the world.

The botnet uses the 1.5 RDP endpoints to scan systems and use brute forcing techniques to access systems. Further, GoldBrute has created its own list of RDP servers and is growing it as it continues to scan systems.

GoldBrute is being controlled by a single command and control (C&C) server with the IP address, which point to a location in New Jersey.  The C&C is communicating with the Bots using an AES encrypted websocket connection to port 833. This port is usually used for Bitcoin connections.

To begin its attack, GoldBrute scans random IP addresses to find hosts  with unsecure RDP servers. Once a total of 80 victims are discovered, the server appoints targets to each bot. Each bot will then try to brute force using just a single username and password for each target.

Mainho stated in his blog:

“This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.”

Once successful, the zip archive of GoldBrute Java Code and Java runtime is downloaded; this file is 80Mbytes. Once uncompressed, a jar file is run with the name “bitcoin.dll”. The ‘.dll’ extension is most likely there to hide itself from users. Next, the loaded bot begins to scan the internet for brutable RDP servers. When the bot finds 80 brutable servers, it will begin the brute-force phase. In this phase, “the bot will continually receive and brute-force “host + username + password” combinations”.  All legitimate password and username combinations are sent back to the attacker.

RDP servers are increasingly becoming a target of attackers. GoldBrute is specially unique because it attempts to keep a low profile because of its lack of persistence.

Contact LIFARS immediately if your organization has been victim to an attack.