A Romanian botnet group named 'RUBYCARP' is leveraging known vulnerabilities and performing brute force attacks to breach corporate networks and compromise servers for financial gain.
According to a new report by Sysdig, RUBYCARP currently operates a botnet managed via private IRC channels comprising over 600 compromised servers.
Sysdig has found 39 variants of the RUBYCARP botnet's Perl-based payload, with only eight appearing on VirusTotal, illustrating low detection rates for the activity.
The researchers have noted some associations with the Outlaw APT threat group, though the link is loose and based on common tactics used across botnets.
Sysdig reports that it has been detecting RUBYCARP's probes to its honeypots for several months, targeting Laravel applications via CVE-2021-3129, a remote code execution vulnerability.
More recently, the analysts observed RUBYCARP performing brute-forcing SSH servers and targeting WordPress sites using credential dumps.
Once the shellbot payload is installed on a compromised server, it connects to the IRC-based command and control server and becomes part of the botnet.
The researchers have discovered three distinct botnet clusters, namely 'Juice,' 'Cartier,' and 'Aridan,' which are likely used for different purposes.
Sysdig also notes that the attackers rotate their infrastructure frequently to evade detection and blocks, with a list of the mapped infrastructure found on this GitHub page.
Newly infected devices can be used to launch distributed denial of service attacks, phishing and financial fraud, and to mine cryptocurrency.
RUBYCARP uses the NanoMiner, XMrig, and a custom miner named C2Bash to mine cryptocurrencies like Monero, Ethereum, and Ravencoin, using the victim's computational resources.
The threat group also uses phishing to steal financial information such as credit card numbers.
They achieve this by deploying phishing templates on compromised servers or sending phishing emails from them, targeting individuals or organizations with deceptive messages.
The phishing templates used in the latest campaign indicate a European targeting scope, including the Swiss Bank, Nets Bank, and Bring Logistics.
Though RUBYCARP is not among the largest botnet operators out there, the fact that they have managed to operate largely undetected for over a decade shows a degree of stealth and operational security.
Cisco warns of password-spraying attacks targeting VPN services.
Hackers exploit Ray framework flaw to breach servers, hijack resources.
TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service.
New Latrodectus malware replaces IcedID in network breaches.
Visa warns of new JSOutProx malware variant targeting financial orgs.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 09 Apr 2024 15:30:09 +0000