Security researchers have discovered an ongoing sophisticated botnet campaign that is currently brute-forcing more than 1.5 million publicly accessible Windows RDP servers on the Internet.
Dubbed GoldBrute, the botnet scheme has been designed in a way to escalate gradually by adding every new cracked system to its network, forcing them to further find new available RDP servers and then brute force them.
To fly under the radar of security tools and malware analysts, attackers behind this campaign command each infected machine to target millions of servers with a unique set of username and password combination so that a targeted server receives brute force attempts from different IP addresses.
The campaign, discovered by Renato Marinho at Morphus Labs, works as shown in the illustrated image, and its modus operandi has been explained in the following steps:
Step 1 — After successfully brute-forcing an RDP server, the attacker installs a JAVA-based GoldBrute botnet malware on the machine.
Step 2 — To control infected machines, attackers utilize a fixed, centralized command-and-control server that exchanges commands and data over an AES encrypted WebSocket connection.
Step 3 and 4 — Each infected machine then receives its first task to scan and report back a list of at least 80 publicly accessible new RDP servers that can be brute-forced.
Step 5 and 6 — Attackers then assign each infected machine with a unique set of username and password combination as its second task, forcing them to attempt it against the list of RDP targets the infected system continually receives from the C&C server.
Step 7 — On successful attempts, the infected machine reports back login credentials to the C&C server.
At this moment, it is unclear exactly how many RDP servers have already been compromised and participating in the brute force attacks against other RDP servers on the Internet.
At the time of writing, a quick Shodan search shows that around 2.4 million Windows RDP servers can be accessed on the Internet, and probably more than half of them are receiving brute force attempts.
Remote Desktop Protocol (RDP) made headlines recently for two new security vulnerabilities—one was patched by Microsoft, and the other still remains unpatched.
Dubbed BlueKeep, the patched vulnerability (CVE-2019-0708) is a wormable flaw that could allow remote attackers to take control of RDP servers and if successfully exploited, could cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.
The unpatched vulnerability resides in Windows that could allow client-side attackers to bypass the lock screen on remote desktop (RD) sessions.
Inside GoldBrute code
In the following code snippet from “Console.java” file, we can see the hardcoded C2 address, some timeout parameters, and GoldBrute initialization.
In the next, from “Config.java”, we have many additional parameters, including C2 traffic AES encryption parameters and a hardcoded initial IP range to brute.
Most of those initial parameters may be changed by C2. The snippet from “ConfigPackage.java” below shows how a “config” packet is identified and treated by the bot to update configurations like TEST_SERVER addresses.
The Numbers
The Numbers
Analyzing the GoldBrute code and understanding its parameters and thresholds, it was possible to manipulate the code to make it save all “host + username + password” combinations on our lab machine.
After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase.
With the help of an ELK stack, it was easy to geolocate and plot all the addresses in a global world map, as shown below.
IOCs
Files (SHA256)
af07d75d81c36d8e1ef2e1373b3a975b9791f0cca231b623de0b2acd869f264e (bitcoin.dll)
Network
104[.]248[.]167[.]144 (Zip download)
104[.]156[.]249[.]231:8333 (C2 server)
References
[1] https://www.shodan.io/search?query=Remote+desktop
*Initially posted at: https://isc.sans.edu/forums/diary/GoldBrute+Botnet+Brute+Forcing+15+Million+RDP+Servers/25002/
