NLBrute RDP Brute-forcing Tool and Controlled Botnet for Sale

Category Adversary Intelligence
Affected Industries Multiple
Affected Region Global

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platformXVigildiscovered a post, on a cybercrime forum, advertising NLBrute RDP brute-forcing tool that runs on NLBrute 1.2 and a controlled botnet.
  • The NLBrute tool, as mentioned above, is designed to distribute the process of brute-forcing RDP credentials to a controlled botnet of targeted IP addresses that have open RDP ports from across different countries.
  • CloudSEK’s Threat Intelligence Research team is in the process of validating the post.

Threat actor’s post on the cybercrime forum

Analysis

The NLBrute RDP brute-forcing tool is used to distribute the workload of finding more valid credentials of RDP accesses. Threat actors use this tool to make more efficient and faster searches on multiple devices using bots instead of running the NLBrute tool on one device. The alleged capabilities of this tool is based on NLBrute v1.2. The tool is used to brute-force RDP credentials, which requires three files to run:

  • A list of IP addresses that have open RDP port 3389
  • A wordlist of passwords
  • A list of username

NLBrute 1.2

NLBrute 1.2

NLBrute 1.2

The threat actor has also shared more screenshots that illustrate how the tool operates. The screenshots have been added to the report in the Appendix section.

Impact & Mitigation

image

Appendix

List of controlled bots

List of controlled bots

Running NLBrute tool on the selected bots

Running NLBrute tool on the selected bots

Controlling the file structure for NLBrute for each client task

Selecting and running the brute-force task

Showing the result of brute-force credentials

1 Like