It's called GoldBrute and it systematically scans a list of over 1,5 million systems, trying to get access to them with brute-force attacks. The scan continues even now and GoldBtute is increasing its list of potential targets.
Ο Renato Marinho of Morphus Labs analyzing GoldBrute's brute-force method, predicts that the hackers συλλέγουν δεδομένα για να πουλήσουν σε hacker φόρουμ ή σε αγορές στο dark web. Ο ερευνητής αναφέρει ότι τα στοιχεία κατευθύνονται στη διεύθυνση IP 184.108.40.206, η οποία δείχνει μια τοποθεσία στο New Jersey στις Ηνωμένες Πολehies.
GoldBrute Botnet code is quite large, about 80MB, because it includes the full Java Runtime. GoldBrute-infected systems start a web scan for servers with exposed RDP servers and report the results to IP 220.127.116.11 via an encrypted WebSocket connection on port 8333, commonly used for connections bitcoin.
After sending the addresses to 80 victims, the bot then tries to do so brute-force in these. Interestingly, the bot tries to check only one pair of username and password for each target.
Most likely, this tactic is intended to hide a coordinated Brute-force attack, as the victim will see multiple connection attempts.
While analyzing the GoldBrute botnet, the researcher was able to modify his code in a way that allowed him to store the list of all “host + username + Password” on his own computer.
"After 6 hours, we received 2,1 million IP addresses from the bot, of which 1.596.571 are unique. Of course, we did not execute the next phase of the brute-force ".
The systems are distributed worldwide as shown in the map below.
There is nothing innovative in the attack method, but GoldBrute stands out in the way it handles brute-force. The method helps to keep a low profile so that it is not easily perceived.