A risk group of suspected Romanian origin referred to as RUBYCARP has been noticed sustaining a long-running botnet for finishing up crypto mining, distributed denial-of-service (DDoS), and phishing assaults.
The group, believed to be energetic for not less than 10 years, employs the botnet for monetary achieve, Sysdig mentioned in a report shared with The Hacker Information.
“Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks,” the cloud safety agency mentioned. “This group communicates via public and private IRC networks.”
Proof gathered thus far means that RUBYCARP could have crossover with one other risk cluster tracked by Albanian cybersecurity agency Alphatechs beneath the moniker Outlaw, which has a historical past of conducting crypto mining and brute-force assaults and has since pivoted to phishing and spear-phishing campaigns to solid a large web.
“These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details,” safety researcher Brenton Isufi mentioned in a report revealed in late December 2023.
A notable side of RUBYCARP’s tradecraft is the usage of a malware referred to as ShellBot (aka PerlBot) to breach goal environments. It has additionally been noticed exploiting safety flaws within the Laravel Framework (e.g., CVE-2021-3129), a way additionally adopted by different risk actors like AndroxGh0st.
In an indication that the attackers are increasing their arsenal of preliminary entry strategies to increase the dimensions of the botnet, Sysdig mentioned it found indicators of WordPress websites being compromised utilizing generally used usernames and passwords.
“Once access is obtained, a backdoor is installed based on the popular Perl ShellBot,” the corporate mentioned. “The victim’s server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet.”
The botnet is estimated to comprise over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) created on Could 1, 2023. It closely depends on IRC for basic communications in addition to for managing its botnets and coordinating crypto mining campaigns.
Moreover, members of the group – named juice_, Eugen, Catalin, MUIE, and Smecher, amongst others – have been discovered to speak through an Undernet IRC channel referred to as #cristi. Additionally put to make use of is a mass scanner instrument to seek out new potential hosts.
RUBYCARP’s arrival on the cyber risk scene isn’t a surprise given their potential to benefit from the botnet to gasoline numerous illicit revenue streams comparable to crypto mining and phishing operations to steal bank card numbers.
Whereas it seems that the stolen bank card information is used to buy assault infrastructure, there may be additionally the chance that the data could possibly be monetized by way of different means by promoting it within the cyber crime underground.
“These threat actors are also involved in the development and sale of cyber weapons, which isn’t very common,” Sysdig mentioned. “They’ve a big arsenal of instruments they’ve constructed up over time, which supplies them fairly a variety of flexibility when conducting their operations.
