RUBYCARP, a suspected Romanian threat group, has been active for at least 10 years and maintains a botnet used for crypto mining, DDoS, and phishing attacks.

The group deploys the botnet by leveraging public exploits and brute-force attacks, and they communicate through both public and private IRC networks to coordinate their activities.

The primary motive behind their operations is financial gain. Additionally, there is evidence suggesting that RUBYCARP may overlap with another threat cluster known as Outlaw, tracked by the Albanian cybersecurity firm Alphatechs. Outlaw has a history of conducting crypto mining and brute-force attacks and has recently shifted focus towards phishing and spear-phishing campaigns.

Image placeholder
Image placeholder

RUBYCARP, a suspected Romanian threat group active for over a decade, maintains a sophisticated botnet for crypto mining, DDoS, and phishing attacks. They deploy malware like ShellBot (aka PerlBot) to breach target environments, often exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129) and compromising WordPress sites using common usernames and passwords. Once access is obtained, they install a backdoor and connect the victim's server to an IRC server for command-and-control, integrating it into their botnet, which comprises over 600 hosts.

This botnet heavily relies on IRC for communication and management.

RUBYCARP’s phishing emails lure victims into revealing sensitive information, such as login credentials and financial details. The group has been found to communicate via an Undernet IRC channel named #cristi, using a mass scanner tool to find new potential hosts.

They are known for evolving their methods, initially focusing on crypto mining but expanding into phishing, DDoS, and the sale of stolen credit card data. This stolen data is used to purchase attack infrastructure or sold in cybercrime markets.

Categories: Cyber Security, Computer Tags: #romania, #asia