RUBYCARP Botnet Attributed to Romanian Threat Actor
A cyber threat group suspected to be of Romanian origin, known as RUBYCARP, has been observed operating a persistent botnet for engaging in various illicit activities including crypto mining, distributed denial-of-service (DDoS) attacks, and phishing schemes.
This group, believed to have been active for at least a decade, utilizes the botnet primarily for financial gain, as reported by Sysdig and shared with The Hacker News. Their modus operandi involves deploying a botnet through a range of public exploits and brute-force tactics and communicating through both public and private IRC networks.
Evidence suggests that RUBYCARP might overlap with another threat entity tracked by Albanian cybersecurity firm Alphatechs, identified as Outlaw. Outlaw has a history of engaging in crypto mining and brute-force attacks but has recently shifted focus towards phishing and spear-phishing campaigns.
RUBYCARP Focuses on Phishing as Initial Attack Vector
These phishing endeavors aim to trick victims into disclosing sensitive information such as login credentials or financial data, according to security researcher Brenton Isufi.
One noteworthy aspect of RUBYCARP's methods is their use of ShellBot (also known as PerlBot) malware to infiltrate target environments. They also exploit vulnerabilities in the Laravel Framework, a tactic shared with other threat actors like AndroxGh0st.
To expand their botnet's reach, RUBYCARP has been observed compromising WordPress sites using common username-password combinations. Once access is gained, they install a backdoor based on the popular Perl ShellBot, connecting the victim's server to an Internet Relay Chat (IRC) server acting as command-and-control.
The botnet, estimated to include over 600 hosts, heavily relies on IRC for communication and coordination of crypto mining campaigns. Additionally, members of the group communicate through an Undernet IRC channel named #cristi and utilize a mass scanner tool to identify potential new hosts.
RUBYCARP's emergence in the cyber threat landscape underscores their adeptness in leveraging the botnet for various illegal activities, including crypto mining and phishing operations aimed at stealing sensitive information such as credit card numbers.