NLBrute RDP Brute-forcing Tool and Controlled Botnet for Sale

Summary

A post on a cybercrime forum is advertising NLBrute RDP brute-forcing tool that runs on NLBrute 1.2 and a controlled botnet
Category Adversary Intelligence
Affected Industries Multiple
Affected Region Global

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising NLBrute RDP brute-forcing tool that runs on NLBrute 1.2 and a controlled botnet.
  • The NLBrute tool, as mentioned above, is designed to distribute the process of brute-forcing RDP credentials to a controlled botnet of targeted IP addresses that have open RDP ports from across different countries. 
  • CloudSEK's Threat Intelligence Research team is in the process of validating the post.
Threat actor’s post on the cybercrime forum
Threat actor’s post on the cybercrime forum

Analysis

The NLBrute RDP brute-forcing tool is used to distribute the workload of finding more valid credentials of RDP accesses. Threat actors use this tool to make more efficient and faster searches on multiple devices using bots instead of running the NLBrute tool on one device. The alleged capabilities of this tool is based on NLBrute v1.2. The tool is used to brute-force RDP credentials, which requires three files to run:
  • A list of IP addresses that have open RDP port 3389
  • A wordlist of passwords
  • A list of username
NLBrute 1.2
NLBrute 1.2
NLBrute 1.2
The threat actor has also shared more screenshots that illustrate how the tool operates. The screenshots have been added to the report in the Appendix section.

Impact & Mitigation

Impact Mitigation
This tool enables threat actors to find potential open RDP ports that allow them to compromise more devices by brute-forcing RDP credentials. Valid RDP credentials can allow actors to:
  • Gain RDP access to the compromised device.
  • Escalate privileges.
  • Lateral movement within the network environment.
  • Deploy different types of malwares including, but not limited to, ransomware.
  • Use the compromised device as a bot to infect other machines.
  • Use strong passwords.
  • Enable multi-factor authentication for all online accounts.
  • Don’t share OTPs with third-parties.
  • Review online accounts and financial statements periodically.
  • Regularly update all the softwares and apps to the latest patches.
  • Close unused ports of RDP.
  • Use up-to-date end-point prevention and detection tools.

Appendix

List of controlled bots
List of controlled bots
Running NLBrute tool on the selected bots
Running NLBrute tool on the selected bots
Controlling the file structure for NLBrute for each client task
Controlling the file structure for NLBrute for each client task
Selecting and running the brute-force task
Selecting and running the brute-force task
Showing the result of brute-force credentials
Showing the result of brute-force credentials

Table of Contents

Request an easy and customized demo for free