A suspected threat group from Romania named ruby The botnet was observed to be long-running and used to conduct cryptocurrency mining, decentralized denial of service (DDoS), and phishing attacks.
In a report shared with The Hacker News, Sysdig said the group is believed to have been active for at least 10 years, using botnets for financial gain.
“The primary method of operation is to exploit botnets deployed using various public vulnerabilities and brute force attacks,” the cloud security company said. “The group communicates via public and private IRC networks.”
Evidence collected so far suggests that RUBYCARP may intersect with another threat cluster called Outlaw tracked by Albanian cybersecurity firm Alphatechs, which has a history of conducting cryptocurrency mining and brute force attacks before turning to phishing and phishing Fork phishing campaigns cast a wide net.
“These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details,” security researcher Brenton Isufi said in a report published in late December 2023.
One notable aspect of the RUBYCARP trading technique is the use of malware called ShellBot (also known as PerlBot) to compromise the target environment. It has also been observed exploiting security vulnerabilities in the Laravel framework (such as CVE-2021-3129), a technique also used by other threat actors such as AndroxGh0st.
Sysdig said it found signs of WordPress sites being compromised using common usernames and passwords, suggesting attackers are expanding their arsenal of initial access methods to increase the size of the botnet.
“Once access is gained, a backdoor based on the popular Perl ShellBot is installed,” the company said. “The victim’s server then connects to [Internet Relay Chat] The server acts as a command and control role and joins the larger botnet. “
The botnet is estimated to consist of more than 600 hosts, including an IRC server (“chat.juicessh[.]pro”) was created on May 1, 2023. It relies heavily on IRC for general communications as well as managing its botnet and coordinating cryptocurrency mining activities.
In addition, members of the group (named Juice_, Eugen, Catalin, MUIE, and Smecher, among others) were spotted communicating through an Undernet IRC channel called #cristi. Mass scanner tools are also used to find new potential hosts.
RUBYCARP’s emergence in the cyber threat landscape is not surprising given their ability to leverage botnets to drive a variety of illicit revenue streams, such as cryptocurrency mining and phishing operations to steal credit card numbers.
While stolen credit card information appears to have been used to purchase attack infrastructure, it is also possible that the information is monetized in other ways by being sold in the cybercriminal underground.
“It’s not uncommon for these threat actors to also be involved in the development and sale of cyber weapons,” Sistig said. “They have a vast array of tools that they have accumulated over the years, which gives them considerable flexibility in how they conduct their operations. sex.
