Home Malware Programs Botnets GoldBrute

GoldBrute

Posted: June 11, 2019

GoldBrute is a Trojan botnet that spreads itself to vulnerable Windows systems with RDP enabled by brute-forcing their login credentials. Although its payload emphasizes network-based self-proliferation, threat actors may reconfigure GoldBrute for collecting data, dropping other threats, or creating a backdoor channel between the targets and themselves. Users should let anti-malware services delete GoldBrute when it's appropriate and keep RDP off whenever it's not in immediate use.

A Trojan's Favorite Protocol

RDP, or Remote Desktop Protocol, is a feature that crops up frequently in Trojans' campaigns, such as the Ransomware-as-a-Service family of the Scarab Ransomware or specialized cash-collecting tools like ATMitch. More than ever, its careless use is responsible for the spread of new infections, including up to two and a half million targets for the GoldBrute botnet. While malware researchers have yet to analyze third-party threat deployment through this 'zombie' computer network, the Trojan is coming onto the malware scene with some different ideas for its movement.

Trojan botnets like GoldBrute create generalized backdoors, usually, for delivering other packages of threatening software that either the creator or a third-party renter can determine. These secondary Trojans may consist of spyware that collects passwords, worms, or file-locker Trojans like the previously-noted Scarab Ransomware. They emphasize compromising easy-opportunity targets and using mass numbers of infected PCs for creating a concealed, decentralized network, which is an efficient means of launching DDoS attacks or mining cryptocurrencies.

What makes GoldBrute different from other botnets is its mobility, which searches for a randomized host, username and password combination on PCs with RDP turned on. This brute-force method of access is not, by itself, rare, but GoldBrute only tries a single combination per target, instead of attempting to compromise it repeatedly until it succeeds or runs out of likely credentials. Malware experts don't see this technique in other botnets or worms and estimate it as being an attempt at working around the cyber-security sector's threat-detecting rule sets.

Rubbing the Luster Off of GoldBrute's Botnet

Botnets' behavior receives commands from a Command & Control or C&C server that, itself, may or may not be decentralized. In GoldBrute's case, the C&C communication is coming from a single server in New Jersey. Unless the authorities can disrupt this server contact, GoldBrute could receive instructions for downloading and installing other threats, passing information to criminals or creating a backdoor that gives criminals easy control over your PC.

While Remote Desktop Protocol is a feature with quality-of-life benefits to users requiring remote assistance, it's also a gateway for threats like GoldBrute. Always turn RDP back off once you're done using it and be cautious about enabling it for individuals who request it without confirming the action's safety – such as for scam artists pretending that they're Microsoft tech support. Anti-malware solutions may delete GoldBrute infections, but the damage done to your privacy in the meantime can be irreparable.

A single hacking attempt per target does little for weakening GoldBrute's possible distribution statistics. Since each 'zombie' in its botnet can attack the same, RDP-filtered targets, users who forget about securing their computers are just asking for someone to walk into it.

Loading...