A group known as RUBYCARP, believed to hail from Romania, has surfaced, showcasing a sophisticated botnet operation encompassing crypto mining, distributed denial-of-service (DDoS) assaults, and phishing endeavors.
The collective, purportedly active for a decade or more, employs its botnet primarily for monetary gains, as per insights disclosed by Sysdig in a dossier shared with The Hacker News.
“Their modus operandi predominantly revolves around the deployment of a botnet through an array of public exploits and brute-force assaults,” as stated by the cloud security entity. “Communication within this group is facilitated through both public and private IRC networks.”
Available evidence indicates a potential connection between RUBYCARP and another threat entity monitored by Albanian cybersecurity firm Alphatechs, dubbed Outlaw. The latter has a historical footprint in crypto mining and brute-force attacks, transitioning lately towards phishing and spear-phishing endeavors to cast a broader net.
Security researcher Brenton Isufi, in a report disclosed in late December 2023, outlined that these phishing endeavors often entice victims into disclosing sensitive data such as login credentials or financial particulars.
A noteworthy facet of RUBYCARP’s tactics involves the utilization of a malware strain labeled ShellBot (also known as PerlBot) for infiltrating targeted systems. Additionally, the group has been observed exploiting vulnerabilities within the Laravel Framework (e.g., CVE-2021-3129), a strategy also embraced by other threat actors like AndroxGh0st.
Signs of an expanding array of initial access techniques are evident, with Sysdig revealing indications of compromised WordPress sites leveraging commonly used username-password combinations.
“Upon gaining access, a backdoor based on the prevalent Perl ShellBot is installed,” the company elucidated. “Subsequently, the victim’s server connects to an Internet Relay Chat (IRC) server functioning as a command-and-control center, thus integrating into the broader botnet.”
The botnet’s scale is estimated to encompass over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) established on May 1, 2023. IRC serves as a pivotal communication channel for the group, facilitating general discourse, botnet management, and coordination of crypto mining operations.
Furthermore, members of the collective, identified as juice_, Eugen, Catalin, MUIE, and Smecher, among others, engage in communication via an Undernet IRC channel dubbed #cristi. Additionally, a mass scanner tool is deployed to identify potential new hosts.
RUBYCARP’s emergence on the cyber threat landscape isn’t unexpected, given its adeptness in leveraging the botnet to fuel a variety of illicit revenue streams, encompassing crypto mining and phishing endeavors targeting credit card data theft.
While it appears that pilfered credit card information is utilized for procuring attack infrastructure, there exists the possibility of monetizing such data through alternative means by vending it within the cybercrime underworld.
“These threat actors also dabble in the development and trade of cyber weaponry, a rarity in the realm,” noted Sysdig. “They boast an extensive arsenal of tools amassed over the years, affording them considerable operational flexibility.”