Reports from security researchers show that an army of thousands of infected computers is used by cybercriminals to detect point-of-sale (POS) terminals that are accessed via the remote desktop protocol (RDP) with credentials that can be cracked through brute-force attacks.

Earlier today, security company IntelCrawler presented a report showing that cyber-crooks compromised computers that were used to scan for specific IP ranges in an attempt to find POS software that could be accessed through RDP.

FireEye also published an analysis, with more details about the botnet including 5,622 machines in 119 countries, which they called BrutPOS, and about how it is operated by the threat actors.

At the moment, information on how the malware is distributed is not complete, but the company detected the destre45[.]com website as one of the attack vectors. Researchers assume that other distribution methods may rely on services provided by other cybercriminals.

After infecting the computer, the malware connects to a command and control (C2) server and receives a dictionary with usernames and passwords to be used for the brute-force attack. A list of IP addresses to be scanned is also provided.

Then, it proceeds to check if the port used by the remote desktop protocol (3389) is open on any of the systems in the given IP range. Should it find an open connection, the brute-force attack begins, and in case of success, the credentials are sent immediately to the C2 server.

FireEye said that it detected a number of five C2 machines, and only two of them, which seem to have been set up recently (one towards the end of May and the other in early June), are currently active.

Both of them are located in Russia, on the THEFIRST-NET network. Other control systems were located in Iran and Germany.

According to the company’s analysis, the attackers specified a set of 57 IP address ranges, 32 of them located in the United States. Additional countries include United Kingdom, Netherlands, Spain, Tunisia, South Africa, Saudi Arabia, Uganda, and Ukraine.

By gaining access to the command and control servers, FireEye researchers found information about the RDP servers that were labelled as an asset by the cybercriminals.

It appears that they found 60 machines, 51 of them being located in the U.S.; the most used username/password pairs were “administrator” (36 cases) and “pos” and “password,” each occurring in 12 cases.

This is not the first time that security researchers bump into this botnet, as it was also reported back in March, while the brute-forcing component was discovered in February. However, too little information was available at that time.

Based on its findings, FireEye notes that the attackers are most likely from Russia or Ukraine.
Kepler Reviewed by Kepler on . BrutPOS Botnet Scans for Weakly Protected RDP Servers http://i1-news.softpedia-static.com/images/news-700/BrutPOS-Botnet-Scans-for-Weakly-Protected-RDP-Servers.jpg Reports from security researchers show that an army of thousands of infected computers is used by cybercriminals to detect point-of-sale (POS) terminals that are accessed via the remote desktop protocol (RDP) with credentials that can be cracked through brute-force attacks. Earlier today, security company IntelCrawler presented a report showing that cyber-crooks compromised Rating: 5