Newly discovered GoldBrute botnet found brute-forcing over 1.5 million RDP servers

• The GoldBrute botnet has compiled 1,596,571 unique systems which can be hacked through brute-force or credential stuffing attacks.
• The C2 server used for communication uses an IP address - 104[.]156[.]249[.]231 - which is located in New Jersey, United States.

Exposing Remote Desktop Protocol to the internet can be a bad idea as botnets are looking out for the same to execute their malicious activities. Recently, a newly discovered botnet named ‘GoldBrute’ has been found scanning the internet for vulnerable Windows that have RDP connection exposed to the internet.

What’s the matter?

Discovered by Renato Marinho of Morphus Labs, the GoldBrute botnet has compiled 1,596,571 unique systems which can be hacked through brute-force or credential stuffing attacks.

It is believed that the number will most likely rise in the coming days.

How does it work?

The botnet works as follows:

• As per its name, the botnet uses a brute-force attack to gain access to a Windows system via RDP;
• Once successful, it downloads a ZIP file - which contains the GoldBrute malware code - onto the targeted system;
• Then, it scans the internet for new RDP points which are not a part of its already existing list;
• When it find at least 80 new RDP endpoints, it sends the list of IP addresses to its remote command-and-control server;
• For each IP address, there will be only one username and password. The bot has to use the same credential to brute force the system. Each GoldBurte bot gets a different username and password combo;
• After performing the brute-force attack, the botnet has to send back the results to its C2 server.

Researchers the C2 server used for communication uses an IP address - 104[.]156[.]249[.]231 - which is located in New Jersey, United States.

Worth noting

A search on Shodan search engine shows that there are about 2.4 million machines that have remote desktop protocol enabled. This huge number can be beneficial for GoldBrute botnet which is continuously scanning the internet for vulnerable RDP endpoints.

Researchers highlight that the GoldBrute botnet activity indicates miscreants are still employing classical techniques of brute-forcing instead of exploiting BlueKeep to target RDP endpoints.