RUBYCARP Botnet

A threat group known as RUBYCARP has been detected operating a persistent botnet for conducting crypto mining, distributed denial-of-service (DDoS) and phishing assaults. Researchers believe that RUBYCARP has Romanian origin.

Active for a minimum of a decade, RUBYCARP utilizes its botnet primarily for financial gains. Their modus operandi involves deploying a botnet through various public exploits and brute-force techniques. The group communicates through both public and private IRC networks.

Initial findings suggest a potential overlap between RUBYCARP and another threat entity named Outlaw. Outlaw has a track record of engaging in crypto mining and brute-force attacks but has recently shifted focus towards phishing and spear-phishing campaigns to broaden their scope of targets.

RUBYCARP may be Expanding Its Attack Methods

These phishing emails frequently entice recipients into divulging privately owned information, such as login credentials or financial particulars. Another noteworthy facet of RUBYCARP's tactics involves employing a malware known as ShellBot (also recognized as PerlBot) to infiltrate target environments. Additionally, they've been observed exploiting security vulnerabilities within the Laravel Framework (e.g., CVE-2021-3129), a method also utilized by other threat actors like AndroxGh0st.

In an indication of the attackers broadening their array of initial access techniques to expand the botnet's scale, researchers have disclosed instances of WordPress sites being compromised through commonly used usernames and passwords.

Upon gaining entry, a backdoor is implanted based on a threat known as Perl ShellBot. Subsequently, the victim's server is linked to an IRC (Internet Relay Chat) server functioning as Command-and-Control (C2), integrating into the larger botnet.

The botnet's size is estimated to surpass 600 hosts, with the IRC server ('chat.juicessh.pro') established on May 1, 2023. It heavily relies on IRC for general communication, as well as for orchestrating botnets and coordinating cryptomining operations.

Moreover, members of the group have been identified communicating via an Undernet IRC channel named #cristi. Additionally, they utilize a mass scanner tool to identify potential new hosts.

RUBYCARP Cybercriminals Exploit Numerous Fraudulent Income Streams

RUBYCARP's emergence in the cyber threat landscape comes as little surprise, given their ability to leverage their botnet to access various illicit income streams, including cryptomining and phishing operations aimed at harvesting credit card numbers.

As researchers have uncovered, cryptomining has been the cybercrime group's primary motivation since its early days. While the group has evolved its tactics, branching into activities such as phishing and DDoS attacks, cryptomining has remained a consistent pursuit throughout its history.

Although it seems that harvested credit card data is primarily used to acquire attack infrastructure, alternative means of monetization, such as selling the information within the cybercrime underground, are also possible.

Furthermore, the threat actors are engaged in developing and selling cyberweapons, a relatively uncommon practice. With a vast arsenal of tools accumulated over the years, they possess significant flexibility in executing their operations.