A botnet is brute-forcing over 1.5 million RDP servers all over the world


Security researchers have discovered a new botnet that has been attacking Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet.

Discovered by Renato Marinho of Morphus Labs, the researcher says the botnet has been seen attacking 1,596,571 RDP endpoints, a number that will most likely rise in the coming days.

Named GoldBrute, the botnet works as follows:

  1. Botnet brute-forces and gain access to a Windows system via RDP.
  2. Downloads a ZIP file with the GoldBrute malware code.
  3. Scans the internet new RDP endpoints that are not part of the main GoldBrute list of RDP endpoints.
  4. After it finds 80 new RDP endpoints, it sends the list of IP addresses to its remote command-and-control server.
  5. Infected host receives a list of IP addresses to brute force. For each IP address, there’s only one username and password the bot must try to authenticate with. Each GoldBrute bot gets a different username&password combo.
  6. Bot performs brute-force attack and reports result back to C&C server.

Read more…
Source: ZDNet