A new piece of malware is targeting Windows severs with the remote desktop protocol (RDP) exposed to the Internet with the intent to ensnare them into a massive botnet, SANS ISC warns.
The RDP protocol has been long abused by malicious actors to compromise servers and gain persistence into organizations’ environments.
The recently addressed critical remote code execution vulnerability (CVE-2019-0708) in Windows Remote Desktop Services (RDS) also brought the protocol to the spotlight, especially with one million devices vulnerable and both Microsoft and the NSA urging users to patch their systems immediately.
Dubbed GoldBrute, the recently observed botnet activity attempts to compromise exposed RDP servers using brute-force attacks, SANS ISC contributor and Morphus Labs security researcher Renato Marinho explains.
Although there seem to be around 2.4 million exposed RDP servers on the Internet, the botnet is only targeting a list of around 1.5 million of them. According to the security researcher, however, the malware’s operators are expanding the list on the go.
GoldBrute, Marinho says, is controlled by a single command and control (C&C) server that communicates with the bots via AES encrypted WebSocket connections to port 8333.
After the initial infection, new victim machines download the bot code, an 80 Mbytes payload that includes the complete Java Runtime.
“The bot itself is implemented in a Java class called GoldBrute,” the researcher says.
The bots are then instructed to scan random IP addresses to discover more exposed RDP servers and the IPs are reported back to the C&C server.
After reporting 80 new victims, the bot is instructed to brute force a set of targets. Each bot attempts to connect to the target using one particular username and password combination only.
“This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses,” Marinho notes.
During the brute-force phase, the bot continually receives the host + username + password combinations that it is supposed to target, until the attackers have access to all valid combinations.
The C&C server was observed serving 2.1 million IP addresses to a bot over a 6 hours period. Of those, 1,596,571 are unique IP addresses scattered all around the world, the security researcher says.