GoldBrute Botnet Sample Download

GoldBrute is a Brute-Force campaign which involves more than 1.6 million RDP servers spread all over the world and publicly accessible via the Internet. It exploits BlueKeep vulnerability, a critical remote code execution vulnerability in Remote Desktop Services (RDS) identified by CVE-2019-0708. The complete attack flow is as follows:

1. The botnet performs brute force attacks on RDP connections, gaining access to an unprotected Windows system.
2. It downloads a large .zip file containing the code of GoldBrute and Java Runtime necessary to run the botnet, it decompresses and executes an obfuscated .jar file as "bitcoin.dll" or "svchost.exe".
3. The bot will begin scanning the Internet for vulnerable RDP servers and will send its IP addresses to C2, which will then send a list of IP addresses.
4. The GoldBrute bot gets different samples of "host + username + password".
5. Finally, the brute force attack is performed and the result is reported to server C2.

GlodBrute Botnet Signatures

Family: PUA:Win32/Presenoker
MD5: 1c740f1abdfbe97ff21b9a60b7570dc6
SHA256: 9eb55e277f233509860b46a693e5aef9dd24ccd01cbc1a1ba52cab46428be87b

GlodBrute Botnet Download

Decomplied source code of GlodBrute can be found here.