New GoldBrute Botnet is Trying to Hack 1.5 Million RDP Servers

A botnet is currently scanning the internet in search of poorly protected Windows machines with Remote Desktop Protocol (RDP) connection enabled.

Called GoldBrute, of the malware compiled a list of over 1.5 million unique systems and systematically tests access on them with brute-force or credential stuffing attacks.

A search on Shodan search engine shows that there are about 2.4 million machines that are reachable over the web and have remote desktop protocol enabled.

Brute force disguised as a lone attack

Renato Marinho of Morphus Labs analyzed the brute-force component in GoldBrute, which keeps scanning the web and increases the list of potential targets.

Marinho told BleepingComputer in a conversation that the dropped artifacts do not reveal the final purpose for the hacked Remote Desktop servers.

As there is no persistence mechanism, one theory is that they are collecting them to sell as an access-as-a-service or on hacker forums and marketplaces

The researcher says that there is only one command and control (C2) server using the IP address 104.156.]249.231, which indicates a location in New Jersey, United States.

The bot code is a heavy download of 80MB because it includes the complete Java Runtime. A Java class called "GoldBrute" includes the bot code.

A system infected with GoldBrute starts scanning the web for hosts with exposed RDP servers and reports their IP addresses to the C2 via an encrypted WebSocket connection to port 8333, typically used for Bitcoin connections.

After sending addresses for 80 victims, the C2 picks a number of targets the bot should brute force. Interestingly, a bot tries only one username and password pair for each target.

Most likely, this tactic is meant to hide a coordinated brute-force attack on the target since the victim will see login attempts from multiple addresses.

A successful authentication triggers the download for GodlBrute code and Java Runtime, both packed in a ZIP archive.

"After uncompressing, it then runs a jar file called “bitcoin.dll”. The “dll” extension is possible to disguise unsuspecting users, but I suspect the “bitcoin” part call more attention than a “.jar” extension would," Marinho says in a blog post today.

Scan, brute force, infect, repeat

The bot starts working immediately and searches for exposed RDP servers. When brute-forcing, the bot gets various combinations of host IP address, username, and password to try out.

When analyzing GoldBrute, the researcher was able to modify its code in a way that allowed saving the list with all "host+username+password."

"After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase."

The systems are spread across the world as visible in the map below.

Recently, cybercriminal interest in RDP servers has increased. This unwanted scrutiny comes after news emerged of BlueKeep, the critical remote code execution vulnerability in Remote Desktop Services (RDS).

There is nothing innovative in the attack method, but GoldBrute stands out in the way it runs the brute force; the method helps it keep a low profile as does its lack of persistence.