• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Eight Exploits Used in BlackSquid Attacks
June 10, 2019
Rewterz Threat Alert – Over 185,000 Payment Card Details Stolen by MageCart
June 10, 2019

Rewterz Threat Alert – GoldBrute Botnet Brute Forcing 1.5 Million RDP Servers

June 10, 2019

Severity

Medium

Analysis Summary

A botnet named GoldBrute. It is currently attempting to brute-force credentials on Internet-accessible RDP servers. The number of servers the botnet is attempting to exploit is reportedly in the region of 1.5 million. If a server is successfully compromised, the server will then download and install the botnet code. The botnet is written in Java and the required Java runtime is part of the botnet code download. The infected server will communicate with the C&C server using an encrypted (AES) websocket on port 8333 and then scan random IP addresses to locate further systems with exposed RDP services. An interesting feature of the botnet is the manner in which it assigns servers to attempt to brute force with each bot trying only one username and password per target system.

Impact

Credential theft

Indicators of Compromise

IP(s) / Hostname(s)

  • 104[.]248[.]167[.]144
  • 104[.]156[.]249[.]231

Malware Hash (MD5/SHA1/SH256)

  • af07d75d81c36d8e1ef2e1373b3a975b9791f0cca231b623de0b2acd869f264e

Remediation

  • Ensure strong RDP passwords.
  • Ensure RDP is not connected to the internet.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.