TLDR:
- RUBYCARP, a Romanian hacker group, has been operating a botnet for 10 years for crypto mining, DDoS, and phishing attacks.
- They use a malware called ShellBot and exploit security flaws in the Laravel Framework to breach target environments.
A threat group known as RUBYCARP, believed to be of Romanian origin, has been identified as operating a long-running botnet primarily for crypto mining, DDoS, and phishing attacks. The group, active for at least a decade, uses public exploits and brute-force attacks to deploy their botnet and communicates via public and private IRC networks. They are suspected to have connections with another threat cluster known as Outlaw, which has transitioned from crypto mining to phishing campaigns involving spear-phishing emails to gather sensitive information.
RUBYCARP’s use of the ShellBot malware and exploitation of security vulnerabilities in the Laravel Framework, such as CVE-2021-3129, sets them apart in their tradecraft. They have also been observed compromising WordPress sites using common usernames and passwords to expand their botnet. The group relies heavily on IRC for communication and coordination of crypto mining campaigns, with the botnet estimated to consist of over 600 hosts.
Members of RUBYCARP, identified as juice_, Eugen, Catalin, MUIE, and Smecher, among others, communicate through an Undernet IRC channel. The group also utilizes a mass scanner tool to identify new potential hosts. Their activities indicate a focus on generating illicit income through crypto mining and phishing operations, potentially involving the sale of stolen credit card data in the cybercrime underground.
RUBYCARP’s involvement in the development and sale of cyber weapons adds to their notoriety in the threat landscape. They possess a diverse range of tools acquired over the years, giving them flexibility in their operations. Their use of a botnet for various illicit activities showcases their adaptability and sophistication in conducting cyber attacks.