GoldBrute is a Brute-Force campaign which involves more than 1.6 million RDP servers spread all over the world and publicly accessible via the Internet. It exploits BlueKeep vulnerability, a critical remote code execution vulnerability in Remote Desktop Services (RDS) identified by CVE-2019-0708.
The complete attack flow is as follows:
- The botnet performs brute force attacks on RDP connections, gaining access to an unprotected Windows system.
- It downloads a large .zip file containing the code of GoldBrute and Java Runtime necessary to run the botnet, it decompresses and executes an obfuscated .jar file as "bitcoin.dll" or "svchost.exe".
- The bot will begin scanning the Internet for vulnerable RDP servers and will send its IP addresses to C2, which will then send a list of IP addresses.
- The GoldBrute bot gets different samples of "host + username + password".
- Finally, the brute force attack is performed and the result is reported to server C2.
GlodBrute Botnet Signatures
GlodBrute Botnet Download
Decomplied source code of GlodBrute can be found here