10 April 2024

Romanian threat actors run decade-long botnet operation


Romanian threat actors run decade-long botnet operation

Security researchers have published details about a sophisticated and long-running botnet operation orchestrated by a Romanian threat group.

Dubbed ‘RUBYCARP’, the group is believed to have been active for over a decade. It employs a diverse array of tactics focused on financial gain through cryptomining and phishing.

The modus operandi of RUBYCARP includes the deployment of botnets, facilitated by the exploitation of various public exploits and brute force attacks. The group is known to communicate through both public and private IRC networks, where it not only coordinates its operations but also develops hacking tools and targeting data, according to the Sysdig Threat Research Team (Sysdig TRT).

The group is financially motivated and engages in various illicit activities like cryptomining, distributed denial-of-service (DDoS) attacks, and phishing. The threat actor has been observed targeting credit cards through its phishing operations.

Some evidence points to a potential link between RUBYCARP and another hacking group named ‘Outlaw,’ however, the precise attribution is difficult as many botnet operators share tactics, techniques, and procedures (TTPs). Moreover, the frequent use of Shellbot by RUBYCARP adds another layer of complexity to attribution efforts.

The group has been observed exploiting vulnerabilities in Laravel applications, particularly CVE-2021-3129, and SSH brute forcing and targeting of WordPress sites using compromised credentials.

Once access is gained, RUBYCARP installs a backdoor based on the popular Perl Shellbot, establishing a connection to an IRC server acting as a command-and-control (C2) center. The analysis found 39 variants of the Perl file, but only eight were detected in VirusTotal, the researchers noted.

Sysdig said they discovered over 600 compromised hosts.

“The infrastructure we discovered for RUBYCARP is comprised of a significant number of malicious IPs and domains, rotated regularly and often replaced and emptied of its malicious content as soon as any potential research activity was detected RUBYCARP uses multiple IRC networks for general communications, but also to manage its botnets and coordinate cryptomining campaigns,” the researchers said.

Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024