GoldBrute is a Brute-Force campaign which involves more than 1.6 million RDP servers spread all over the world and publicly accessible via the Internet. It exploits BlueKeep vulnerability, a critical remote code execution vulnerability in Remote Desktop Services (RDS) identified by CVE-2019-0708.
The complete attack flow is as follows:
The botnet performs brute force attacks on RDP connections, gaining access to an unprotected Windows system.
It downloads a large .zip file containing the code of GoldBrute and Java Runtime necessary to run the botnet, it decompresses and executes an obfuscated .jar file as "bitcoin.dll" or "svchost.exe".
The bot will begin scanning the Internet for vulnerable RDP servers and will send its IP addresses to C2, which will then send a list of IP addresses.
The GoldBrute bot gets different samples of "host + username + password".
Finally, the brute force attack is performed and the result is reported to server C2.