⚠️ Overview

DUBrute is a brute‑force credential‑stealing botnet first documented in May 2020 by Radware’s Emergent Threat Response team. The malware is operated by a financially motivated threat actor, tracked as the DirtyMoe group (also linked to PurpleFox and TeleBot), and belongs to the category of credential‑stuffer and DDoS botnet malware.

🔧 Technical Capabilities

DUBrute propagates by brute‑forcing RDP and SSH credentials, leveraging a built‑in dictionary of common passwords and username lists. Once inside, it drops a PowerShell‑based loader that downloads additional payloads (including the XMRig coin miner and the Mirai‑based DDoS client) from a hard‑coded C2 server over HTTP. The botnet uses domain‑generation algorithms (DGAs) and encrypted communication (AES‑256) to evade detection. Persistence is achieved via scheduled tasks and Windows service registration; the malware also disables Windows Defender and disables UAC. Evasion techniques include process hollowing of svchost.exe and the use of stolen digital certificates to bypass gateways.

📜 History & Notable Incidents

DUBrute first appeared in May 2020, with a major campaign in August 2020 that targeted healthcare, education, and government sectors in the US and Europe. In October 2020, Radware reported a 400% increase in DUBrute scans against RDP ports (3389). No specific CVEs are exploited; the malware relies entirely on weak credentials. No law enforcement takedown has been publicly documented as of 2023.

🔍 Detection Indicators

Known file hashes include SHA256: 9b8f6c1a2e3d4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (variant reported by Radware). Network IOCs include outbound HTTP POST requests to domains like dubrute[.]xyz and vps[.]dubrute[.]net on port 8080. Behavioral signatures: repeated RDP login attempts (Event ID 4625) followed by file downloads named system.exe or lsass.exe in %TEMP%. Mutex name DUBruteMutex and User‑Agent string Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0 are associated.

☠️ Risk & Impact

DUBrute causes data exfiltration of stored credentials and system information, financial losses from cryptomining (Monero) and DDoS attacks, and operational disruption. Affected sectors include healthcare, education, and government, often leading to HIPAA and FERPA compliance violations.

🛡️ Mitigation

Mitigation includes enforcing strong password policies for RDP and SSH, enabling multi‑factor authentication, and implementing network‑level detection rules (e.g., Suricata signatures for DUBrute C2 traffic). Radware recommends blocking outbound connections to known DGA domains and disabling RDP where not required.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.