GoldBrute botnet brute-forces over 1.5 million RDP servers

The GoldBrute botnet has compiled a network of 1,596,571 unique systems which can be hacked through credential stuffing or brute-force attacks.

The communication happens through a C2 server that uses an IP address -104.156.249.231 which is hosted in New Jersey, United States.

Exposing RDP - Remote Desktop Protocol to the internet can be a bad idea as botnets are aiming for the same to execute their malwares. The GoldBrute bot network discovered recently has been found scanning through the internet for vulnerable windows systems that have RDP connection exposed to the internet. What's the matter?

The GoldBrute bot network compiled of 1,596,571 unique systems, which can be hacked through credential stuffing or brute-force attacks was discovered by Renato Marinho of Morphus Labs. While is belived that the number can most probably increase in the coming days.

This bot network works by using brute-force attacks to gain access to a Windows system via Remote Desktop Protocol. After successful brute-force, it downloads a zip file- which contains the malicious GoldBrute malware script -onto the targeted system. Then, it starts scanning the internet for new RDP points which are not a part of its already existing list of computer.

When it succeeds in finding at least 80 new RDP endpoints, it sends the list of IP addresses to its remote command-and-control server. So, now since there will be only one username and password for each IP address, The bot uses the same credential to brute force the system. But each GoldBurte bot gets a different username and password combo. After successful completion of the above steps, the botnet now sends back the results to its C2 server.

A search on Shodan -most powerful hackers search engine, shows that there are about 2.4 million machines which have their RDP's enables. This huge number might be beneficial for GoldBrute bot network which is continuously scanning the internet for vulnerable RDP end points. Researches also highlighted that the GoldBrute bot network activity indicates that miscreants are still employing classical techniques of brute-forcing instead of exploiting BlueKeep vulnerability to target RDP endpoints.