He called a threatening group of suspected Romanian origin RUBY CARP A long-running botnet has been observed maintaining cryptocurrency mining, distributed denial of service (DDoS) attacks, and phishing.
The group, believed to have been active for at least 10 years, uses the botnet for profit, Sysdig said in a report shared with The Hacker News.
“Its primary method of operation exploits a distributed botnet using a variety of public exploits and brute force attacks,” the cloud security firm said. “This group communicates via public and private IRC networks.”
Evidence gathered so far suggests that RUBYCARP may be intersecting with another threat group monitored by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of cryptocurrency mining and brute force attacks and has since focused on campaigns of phishing and spear-phishing to cast a wide net.
“These phishing emails often trick victims into revealing sensitive information, such as login credentials or financial details,” security researcher Brenton Isufi said in a report published in late December 2023.
A notable aspect of RUBYCARP’s business activity is the use of malware called ShellBot (also known as PerlBot) to breach targeted environments. It was also observed to exploit security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors such as AndroxGh0st.
Demonstrating that attackers are expanding their arsenal of initial login methods to expand the botnet’s reach, Sysdig said it discovered signs of compromised WordPress sites using commonly used usernames and passwords.
“Once access is gained, a backdoor based on the popular Perl ShellBot is installed,” the company said. “The victim’s server is then connected to a [Internet Relay Chat] server that acts as command and control and joins the larger botnet.”
The botnet is estimated to comprise over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) created on May 1, 2023. It relies heavily on IRC for general communications, as well as for managing its botnets and coordinating cryptocurrency mining campaigns.
Furthermore, members of the group – named juice_, Eugen, Catalin, MUIE and Smecher, among others – were discovered to communicate via an Undernet IRC channel called #cristi. A mass scanning tool is also used to find new potential hosts.
RUBYCARP’s arrival on the cyber threat scene is not surprising, given their ability to leverage the botnet to fuel various illicit revenue streams such as crypto mining and phishing operations to steal credit card numbers.
While it appears that stolen credit card data is being used to purchase attack infrastructure, there is also the possibility that the information could be monetized through other means by selling it into the cybercrime underground.
“These threat actors are also involved in developing and selling cyber weapons, which is not very common,” Sysdig said. “They have a large arsenal of tools accumulated over the years, which gives them some flexibility in carrying out their operations.