A cyber threat group of suspected Romanian origin, identified as RUBYCARP, has been linked to a long-lasting botnet engaged in various malicious activities, including cryptocurrency mining, distributed denial-of-service (DDoS) attacks, and phishing schemes. This group appears to have been operational for at least a decade, primarily motivated by financial gain, as detailed in a report by cloud security firm Sysdig shared with The Hacker News.
Sysdig indicates that RUBYCARP’s primary operational strategy relies on deploying a botnet through a combination of public exploits and brute-force attacks. Communication among group members occurs via public and private IRC networks, which allows for organized coordination of their activities.
Initial evidence suggests that RUBYCARP may have connections to another threat cluster tracked by Albanian cybersecurity firm Alphatechs, known as Outlaw. This group has a documented history of crypto mining and brute-force attacks, showing an evolution into phishing and spear-phishing campaigns aimed at a broader range of targets. Brenton Isufi, a security researcher, noted that these phishing attempts often trick victims into exposing sensitive information, including login credentials and financial details.
Among RUBYCARP’s tactics is the utilization of a malware variant known as ShellBot, also referred to as PerlBot, which is employed to infiltrate target environments. The group is documented to exploit vulnerabilities within the Laravel Framework, applying techniques identical to those used by other threat actors such as AndroxGh0st.
In a troubling development, Sysdig has documented instances of compromised WordPress sites where attackers leveraged commonly used usernames and passwords to gain access. Following a successful breach, a backdoor based on Perl ShellBot is installed, allowing the compromised server to connect to an Internet Relay Chat (IRC) server, which serves both command-and-control functions and a means to join the larger botnet.
This botnet is estimated to encompass over 600 hosts, with the IRC server established on May 1, 2023, highlighting the group’s reliance on this communication channel for operational coordination and managing crypto mining campaigns. Members of RUBYCARP, who utilize handles like juice_, Eugen, Catalin, MUIE, and Smecher, have been found communicating through the Undernet IRC channel #cristi, and they employ mass scanning tools to identify potential new targets.
The rise of RUBYCARP in the cyber threat landscape underscores their adeptness at leveraging a botnet to fuel a diverse range of illicit activities, including cryptocurrency mining and phishing attacks aimed at data theft. Michael Clark, director of threat research at Sysdig, noted that mining appears to have been the group’s initial motive, but they have since diversified their activities to include DDoS attacks and phishing campaigns.
There is concern that stolen credit card information may not only be used to finance attack infrastructure but could also be sold in underground cybercrime markets. Furthermore, Sysdig reports that RUBYCARP is involved in developing and marketing cyber weapons, a practice that is not commonplace among cyber threat groups. Their extensive arsenal of tools offers substantial flexibility in executing their illicit operations.
