A botnet scans the internetnetwork to search for unprotected Windows machines with Remote Desktop Protocol (RDP) connection enabled.
It's called GoldBrute and it systematically scans a list of over 1,5 million systems, trying to access them with brute-force attacks. The scan is still going on and GoldBtute is increasing its list of possible targets.
A search on Shodan (machine search of machines connected to the internet) shows that there are about 2,4 million machines accessible on the web with the protocol Remote Desktop Protocol.
Ο Renato Marinho of Morphus Labs analyzing GoldBrute's brute-force method, suggests that hackers are collecting data to sell to hacker forums or dark web markets. The researcher reports that the data is directed to the IP address 104.156.249.231, which indicates a location in New Jersey in the United States.
Ο codeς του GoldBrute Botnet είναι αρκετά μεγάλος, περίπου 80MB, επειδή περιλαμβάνει το πλήρες Java Runtime. Τα συστήματα που έχουν προσβληθεί από το GoldBrute ξεκινάνε μία σάρωση του ιστού, για κεντρικούς υπολογιστές με εκτεθειμένους διακομιστές RDP και αναφέρουν τα αποτελέσματα στην IP 104.156.249.231, μέσω κρυπτογραφημένης σύνδεσης WebSocket στη θύρα 8333, που χρησιμοποιείται συνήθως για συνδέσεις Bitcoin.
After sending the addresses to 80 victims, the bot then tries to do so brute-force in these. Interestingly, the bot tries to check only one pair of username and password for each target.
Most likely, this tactic is intended to hide a coordinated Brute-force attack, as the victim will see multiple connection attempts.
During the analysis of the GoldBrute botnet, the researcher was able to modify his code in a way that allowed him to save the list of all "host + username + password" on his own computer.
"After 6 hours, we received 2,1 million IP addresses from the bot, of which 1.596.571 are unique. Of course, we did not execute the next phase of the brute-force ".
The systems are distributed worldwide as shown in the map below.
There is nothing innovative in the attack method, but GoldBrute stands out in the way it handles brute-force. The method helps to keep a low profile so that it is not easily perceived.
