GOLDBRUTE BOTNET attacks Windows-systems with active connection via RDP

Currently, GoldBrute has over 1.5 million systems on its list of goals.

Having access to the target system, the botnet downloads a ZIP archive with GoldBrute malware, and then scans the Internet for new vulnerable computers with an RDP connection. Having collected a list of 80 potential objects, GoldBrute sends data about their IP addresses to the management server, from where a list of IP addresses to be attacked is sent to the infected PC.

It is noteworthy that for each IP address there is only one login / password combination, and for each purpose different credentials are used. Researchers believe that in this way, botnet operators try to hide their activities from users who will certainly notice numerous authorization attempts. At the final stage, the bot performs a brute force attack and sends the results to the C & C server.

While experts can not tell what purpose the attackers pursue. They believe that GoldBrute operators are collecting a botnet for the further sale of access to it in various underground forums.