GOLDBRUTE BOTNET attacks Windows-systems with active connection via RDP

Currently, GoldBrute has over 1.5 million systems on its list of goals.

Morphus Labs discovered anew botnet that actively scans the Network for badly protected Windows-based systems with active RDP connections. Currently, the botnet’s list of goals, called GoldBrute, includes more than 1.5 million systems, which it periodically tries to gain access with brute force or credential stuffing attacks. According to the researchers, the largest number of attacked systems is in South Korea, China, Taiwan, the United States and the United Kingdom.

Having access to the target system, the botnet downloads a ZIP archive with GoldBrute malware, and then scans the Internet for new vulnerable computers with an RDP connection. Having collected a list of 80 potential objects, GoldBrute sends data about their IP addresses to the management server, from where a list of IP addresses to be attacked is sent to the infected PC.

It is noteworthy that for each IP address there is only one login / password combination, and for each purpose different credentials are used. Researchers believe that in this way, botnet operators try to hide their activities from users who will certainly notice numerous authorization attempts. At the final stage, the bot performs a brute force attack and sends the results to the C & C server.

While experts can not tell what purpose the attackers pursue. They believe that GoldBrute operators are collecting a botnet for the further sale of access to it in various underground forums.