A Romanian botnet group named ‘RUBYCARP’ is leveraging known vulnerabilities and performing brute force attacks to breach corporate networks and compromise servers for financial gain.
According to a new report by Sysdig, RUBYCARP currently operates a botnet managed via private IRC channels comprising over 600 compromised servers.
Sysdig has found 39 variants of the RUBYCARP botnet’s Perl-based payload (shellbot), with only eight appearing on VirusTotal, illustrating low detection rates for the activity.
“The Sysdig Threat Research Team (Sysdig TRT) recently discovered a long-running botnet operated by a Romanian threat actor group, which we are calling RUBYCARP,” explains the researchers.
“Evidence suggests that this threat actor has been active for at least 10 years.”
The researchers have noted some associations with the Outlaw APT threat group, though the link is loose and based on common tactics used across botnets.
RUBYCARP attacks
Sysdig reports that it has been detecting RUBYCARP’s probes to its honeypots for several months, targeting Laravel applications via CVE-2021-3129, a remote code execution vulnerability.
More recently, the analysts observed RUBYCARP performing brute-forcing SSH servers and targeting WordPress sites using credential dumps.
Once the shellbot payload is installed on a compromised server, it connects to the IRC-based command and control (C2) server and becomes part of the botnet.
The researchers have discovered three distinct botnet clusters, namely ‘Juice,’ ‘Cartier,’ and ‘Aridan,’ which are likely used for different purposes.
If the client fails to configure its connection properly, it gets kicked out, and its IP is blocked in an effort to safeguard the infrastructure from security analysts attempting unauthorized probes.
Sysdig also notes that the attackers rotate their infrastructure frequently to evade detection and blocks, with a list of the mapped infrastructure found on this GitHub page
Hacked servers abused in attacks
Newly infected devices can be used to launch distributed denial of service (DDoS) attacks, phishing and financial fraud, and to mine cryptocurrency.
RUBYCARP uses the NanoMiner, XMrig, and a custom miner named C2Bash to mine cryptocurrencies like Monero, Ethereum, and Ravencoin, using the victim’s computational resources.
The threat group also uses phishing to steal financial information such as credit card numbers.
They achieve this by deploying phishing templates on compromised servers or sending phishing emails from them, targeting individuals or organizations with deceptive messages.
The phishing templates used in the latest campaign indicate a European targeting scope, including the Swiss Bank, Nets Bank, and Bring Logistics.
Though RUBYCARP is not among the largest botnet operators out there, the fact that they have managed to operate largely undetected for over a decade shows a degree of stealth and operational security.
In addition to operating a botnet, SYSDIG says that they are also involved in developing and selling “cyber weapons,” indicating a large arsenal of tools at their disposal.