Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

GoldBrute Botnet Brute-Force Attacking RDP Servers

A new piece of malware is targeting Windows severs with the remote desktop protocol (RDP) exposed to the Internet with the intent to ensnare them into a massive botnet, SANS ISC warns.

A new piece of malware is targeting Windows severs with the remote desktop protocol (RDP) exposed to the Internet with the intent to ensnare them into a massive botnet, SANS ISC warns.

The RDP protocol has been long abused by malicious actors to compromise servers and gain persistence into organizations’ environments.

The recently addressed critical remote code execution vulnerability (CVE-2019-0708) in Windows Remote Desktop Services (RDS) also brought the protocol to the spotlight, especially with one million devices vulnerable and both Microsoft and the NSA urging users to patch their systems immediately.

Dubbed GoldBrute, the recently observed botnet activity attempts to compromise exposed RDP servers using brute-force attacks, SANS ISC contributor and Morphus Labs security researcher Renato Marinho explains.

Although there seem to be around 2.4 million exposed RDP servers on the Internet, the botnet is only targeting a list of around 1.5 million of them. According to the security researcher, however, the malware’s operators are expanding the list on the go.

GoldBrute, Marinho says, is controlled by a single command and control (C&C) server that communicates with the bots via AES encrypted WebSocket connections to port 8333.

After the initial infection, new victim machines download the bot code, an 80 Mbytes payload that includes the complete Java Runtime.

“The bot itself is implemented in a Java class called GoldBrute,” the researcher says.

The bots are then instructed to scan random IP addresses to discover more exposed RDP servers and the IPs are reported back to the C&C server.

After reporting 80 new victims, the bot is instructed to brute force a set of targets. Each bot attempts to connect to the target using one particular username and password combination only.

“This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses,” Marinho notes.

During the brute-force phase, the bot continually receives the host + username + password combinations that it is supposed to target, until the attackers have access to all valid combinations.

The C&C server was observed serving 2.1 million IP addresses to a bot over a 6 hours period. Of those, 1,596,571 are unique IP addresses scattered all around the world, the security researcher says.

Related: RDP Servers Can Hack Client Devices: Researchers

Related: Wormable Windows RDS Vulnerability Poses Serious Risk to ICS

Related: Hackers Can Bypass Windows Lockscreen on Remote Desktop Sessions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.