Windows RDP Server on the spotlight of the Goldbrute botnet

Cybersecurity researcher Renato Marinho at Morphus Labs, has discovered a new brute-force attack based botnet against 1,5 million Windows RDP (Remote Desktop protocol) Servers.

This campaign, dubbed GoldBrute, starts making a force-brute attack against a RDP server. Once success, it infects the system with a java based malware which it starts to communicate with the single Command & Control (C&C) server. Infected machines have as their first task to scan the network and send to C&C server a list of at least 80 new open RDP servers that might be vulnerable. Then, brute-force phase in which malware receives and continuously attacks combinations of "host + username + password" against targets begins. In successful cases, the infected machine returns the access credentials to the C&C server.