What is GoldBrute?

GoldBrute is a botnet infection that turns multiple computer systems into tame zombies. The infection itself doesn’t have any other purpose but to infect, but there are many things the developers might make an obedient zombie do. Therefore, it is vital to run regular system scans with a security tool of your choice if you want to remove GoldBrute immediately before this infection caused any great damage.

While you are at it, you should also look for other potentially dangerous programs that might be running on your system. Malware usually travels in packs, and so GoldBrute could be just one of the many intruders on-board.

Where does GoldBrute come from?

Research suggests that there is only one command and control server (C2) controlling this botnet. Every single infected system or a bot is connected to this server, and they exchange information via encrypted WebSocket connections. These connections are encrypted with the AES encryption algorithm, so the communication is securely obfuscated.

It might be hard to pinpoint exactly who first spread the infection, but we know how GoldBrute spreads around. It uses the Remote Desktop Protocol (RDP) to reach target systems. RDP tends to have certain vulnerabilities that are often patched quite quickly. However, if the RDP servers are exposed to the internet, these vulnerable severs can be found by the likes of GoldBrute.

Just as its name suggests, this botnet uses brute force to guess passwords and enter vulnerable servers. So if a server is protected by a weak or reused password, there is a chance that it could be broken by GoldBrute. Some reports say that this botnet has been scanning around 1.5 million of exposed RDP servers on the Internet, while other accounts raise the number to 2.4 million. Whichever it might be, it is clear that the infection rate is only growing.

What does GoldBrute do?

When a system gets infected with this botnet, it first downloads the bot code. This infection is written in Java, and so the code that the infected system downloads contains Java RunTime, and the overall file size is considerably large (80MB). When the bot settles, it starts looking for other IP addresses, so it could locate more exposed RDP servers and spread further.

Practically, each new bot is assigned a list of usernames and passwords to break, and so the bigger the entire botnet becomes, the more servers it can break. Also, this infection is not limited to one particular country or region; it has been detected all over the world.

So far, most of the analyses on this infection focused on its distribution tactics. It is still hard to say what exactly the GoldBrute botnet could be used for, but we can always remember that botnets are vital in DDoS (distributed denial of service) attacks, and they can also send spam and allow the CC2 to access the infected device. To put it simply, not only does GoldBrute turn your system into a zombie, but it can also cause substantial damage in the long run.

How do I remove GoldBrute?

When this infection is run on the target system, it downloads the bitcoin.dll file on the compromised PC. Although there is no exact location for this file, it is very likely that it is located in the %TEMP% folder. If you cannot find the malicious file there, do a thorough system search until you find it, so you could delete it.

On the other hand, if you do not want to deal with the GoldBrute removal manually, you can always remove this infection with a licensed security tool. In fact, we would always recommend an automated malware removal because it is faster and more efficient. What’s more, with a full system scan, you can locate all the potential threats immediately. As mentioned, GoldBrute is probably just one of the many threats currently installed on your system, so you will do yourself a favor if you remove then all at once.

To avoid this botnet, you should disable the RDP if you are not using it. If you are in doubt, address a professional who could tell you more about the issue. And don’t forget to invest in cybersecurity because you can never know when another threat might enter your system.

Manual GoldBrute Removal

  1. Press Win+R and type %TEMP%. Click OK.
  2. If present, remove the bitcoin.dll file.
  3. Search for the file in the rest of your system.
  4. If present, remove the file.
  5. Scan your system with SpyHunter. 100% FREE spyware scan and
    tested removal of GoldBrute*

Leave a Comment

Enter the numbers in the box to the right *