The bait is a shipping receipt, attached as an .xlsm file. This, if opened, contacts a random link from an internal list and downloads a DLL, which starts malware infection.
CybergON: GoldBrute, the cybercrime botnet that in June attacked 1.5 million RDP servers worldwide, is back. The malware, however, is even more dangerous thanks to new protocols that allow it to attack multiple machines. Furthermore, there are features that are not yet operational
Cybercrime is spreading a new version of GoldBrute, even more bad. CybergON cyber security researchers, a business unit of Elmec Informatica, discovered it. Experts have identified an even more dangerous update of the malware released in June, the botnet that attacked 1.5 million RDP servers worldwide. Updating the malicious code has highlighted some substantial differences with its first version, which make it potentially even more dangerous. In fact, have been added protocols that allow cyber attacks to be launched against multiple machines and a database has been created – not yet operational – but which could make the malware activity even more persistent.
Cyber security experts: How malware infection works
According to cyber security experts, GoldBrute scans and use servers that display the RDP (Remote Desktop Protocol) service and weak or stolen credentials. The list of machines surveyed and potentially controlled by the botnet was about 1.5 million in June 2019, but at this time the number of “victims” has exceeded 4 million. The malware exploits the BlueKeep vulnerability (CVE-2019-0708), which can affect a Windows operating system with RDP enabled and not updated. The cybercrime, however, has hidden the malicious code behind a seemingly legitimate process – javaw.exe – which is downloaded to the compromised machine along with the Java Runtime, various dlls and even a zip archive that is password protected (XHr4jBYf5BV2Cd7zpzR9pEGn).
GoldBrute will probably be updated again. Some parts of the new code are not yet fully operational
CybergON also notes that in the new version of GoldBrute there are some parts of code not yet fully operational:
- support for protocols different from the RDP with regard to brute force (SSH and Telnet);
- the use of a persistent SQL database to replace the volatile lists used to keep track of the execution status;
- different entry points to allow the execution of different parts of the code, independently from the execution of the malware itself.
This, in all probability, means that cybercrime actors behind the malware are willing to exploit it again. Updating it and inserting further features inside it. As a result, the cyber security community is in alarm and has already begun to study the evolution of the malicious code, as well as the impacts that this could cause.