GoldBrute Botnet Brute Forcing RDP Servers

A posting to the InfoSec Handlers Diary has provided information on a botnet named GoldBrute. It is currently attempting to brute-force credentials on Internet-accessible RDP servers. The number of servers the botnet is attempting to exploit is reportedly in the region of 1.5 million. If a server is successfully compromised, the server will then download and install the botnet code.

The botnet is written in Java and the required Java runtime is part of the botnet code download. The infected server will communicate with the C&C server using an encrypted (AES) websocket on port 8333 and then scan random IP addresses to locate further systems with exposed RDP services. An interesting feature of the botnet is the manner in which it assigns servers to attempt to brute force with each bot trying only one username and password per target system.

It is recommended that you ensure RDP is NOT open to the internet, you use strong passwords for RDP service, and keep applications and operating systems running at the current released patch level.

Indicators of Compromise

Hash af07d75d81c36d8e1ef2e1373b3a975b9791f0cca231b623de0b2acd869f264e

IP Addresses 104.248.167.144 (Download Server) 104.156.249.231 Port 8333 (C&C Server)

Malicious Jar File Name bitcoin.dll