A new botnet has been found searching the internet for poorly configured Remote Desktop Protocols (RDP). After the BlueKeep vulnerability was published, attackers have started searching for the RDP’s that can be exploited in an attempt to collect the information and sell it on the DarkNet. GoldBrute looks for the RDP’s and if it is capable of accessing it through a brute-force style attack, then it drops a malicious malware in the system that creates more bots to widen the search. After each individual bot has collected a total of 80 vulnerable system, it sends the information to its command and control server then continues on with its search. It is estimated that GoldBrute has already collected over 1.5 million IP addresses that are vulnerable. These systems will, most likely, be sold to the highest bidder on the DarkNet for one of any number of attacks. The IP address used for communication is located in New Jersey, but that is very likely to be a false IP address.
Analyst Notes
If a user has an RDP activated that is not in use then it should be shut off immediately. If the RDP is being used, then it should be run through a VPN to mask the proper IP address. It is also advisable that the password used for access is made complex with the use of case-sensitive and special characters.