Security researchers have discovered a new botnet that has been attacking Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet.
Discovered by Renato Marinho of Morphus Labs, the researcher says the botnet has been seen attacking 1,596,571 RDP endpoints, a number that will most likely rise in the coming days.
Named GoldBrute, the botnet works as follows:
- Botnet brute-forces and gain access to a Windows system via RDP.
- Downloads a ZIP file with the GoldBrute malware code.
- Scans the internet new RDP endpoints that are not part of the main GoldBrute list of RDP endpoints.
- After it finds 80 new RDP endpoints, it sends the list of IP addresses to its remote command-and-control server.
- Infected host receives a list of IP addresses to brute force. For each IP address, there’s only one username and password the bot must try to authenticate with. Each GoldBrute bot gets a different username&password combo.
- Bot performs brute-force attack and reports result back to C&C server.