RUBYCARP hackers linked to 10-year-old cryptomining botnet

A Romanian botnet group named 'RUBYCARP' is leveraging known vulnerabilities and performing brute force attacks to breach corporate networks and compromise servers for financial gain.
According to a new report by Sysdig, RUBYCARP currently operates a botnet managed via private IRC channels comprising over 600 compromised servers.
Sysdig has found 39 variants of the RUBYCARP botnet's Perl-based payload, with only eight appearing on VirusTotal, illustrating low detection rates for the activity.
The researchers have noted some associations with the Outlaw APT threat group, though the link is loose and based on common tactics used across botnets.
Sysdig reports that it has been detecting RUBYCARP's probes to its honeypots for several months, targeting Laravel applications via CVE-2021-3129, a remote code execution vulnerability.
More recently, the analysts observed RUBYCARP performing brute-forcing SSH servers and targeting WordPress sites using credential dumps.
Once the shellbot payload is installed on a compromised server, it connects to the IRC-based command and control server and becomes part of the botnet.
The researchers have discovered three distinct botnet clusters, namely 'Juice,' 'Cartier,' and 'Aridan,' which are likely used for different purposes.
Sysdig also notes that the attackers rotate their infrastructure frequently to evade detection and blocks, with a list of the mapped infrastructure found on this GitHub page.
Newly infected devices can be used to launch distributed denial of service attacks, phishing and financial fraud, and to mine cryptocurrency.
RUBYCARP uses the NanoMiner, XMrig, and a custom miner named C2Bash to mine cryptocurrencies like Monero, Ethereum, and Ravencoin, using the victim's computational resources.
The threat group also uses phishing to steal financial information such as credit card numbers.
They achieve this by deploying phishing templates on compromised servers or sending phishing emails from them, targeting individuals or organizations with deceptive messages.
The phishing templates used in the latest campaign indicate a European targeting scope, including the Swiss Bank, Nets Bank, and Bring Logistics.
Though RUBYCARP is not among the largest botnet operators out there, the fact that they have managed to operate largely undetected for over a decade shows a degree of stealth and operational security.
Cisco warns of password-spraying attacks targeting VPN services.
Hackers exploit Ray framework flaw to breach servers, hijack resources.
TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service.
New Latrodectus malware replaces IcedID in network breaches.
Visa warns of new JSOutProx malware variant targeting financial orgs.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 09 Apr 2024 15:30:09 +0000


Cyber News related to RUBYCARP hackers linked to 10-year-old cryptomining botnet

RUBYCARP hackers linked to 10-year-old cryptomining botnet - A Romanian botnet group named 'RUBYCARP' is leveraging known vulnerabilities and performing brute force attacks to breach corporate networks and compromise servers for financial gain. According to a new report by Sysdig, RUBYCARP currently operates a ...
8 months ago Bleepingcomputer.com
Research Unearths RUBYCARP's Multi-Miner Assault on Crypto - A recent research study has shed light on the decade-long activities of a Romanian cyber threat group known as RUBYCARP, which uses techniques such as cryptocurrency mining and phishing. One of the key findings from the technical write-up, published ...
8 months ago Infosecurity-magazine.com
Feds Disrupt Botnet Used by Russian APT28 Hackers - Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies. APT28, an ...
10 months ago Securityboulevard.com
RedTail Malware Abuses Palo Alto Flaw in Latest Cryptomining Campaign - Hackers with possible ties to the notorious North Korea-linked Lazarus Group are exploiting a recent critical vulnerability in Palo Alto Network's PAN-OS software to run a sophisticated cryptomining operation that likely has nation-state backing. In ...
6 months ago Securityboulevard.com
Stealthy KV-botnet hijacks SOHO routers and VPN devices - The Chinese state-sponsored APT hacking group known as Volt Typhoon has been linked to a sophisticated botnet named 'KV-botnet' since at least 2022 to attack SOHO routers in high-value targets. Volt Typhoon commonly targets routers, firewalls, and ...
1 year ago Bleepingcomputer.com
FBI disrupts Moobot botnet used by Russian military hackers - The FBI took down a botnet of small office/home office routers used by Russia's Main Intelligence Directorate of the General Staff in spearphishing and credential theft attacks targeting the United States and its allies. This network of hundreds of ...
10 months ago Bleepingcomputer.com
"Largest Botnet Ever" Disrupted. 911 S5's Alleged Mastermind Arrested - A vast network of millions of compromised computers, being used to facilitate a wide range of cybercrime, has been disrupted by a multinational law enforcement operation. 35-year-old YunHe Wang, a dual citizen of China and St. Kitts and Nevis, is ...
6 months ago Tripwire.com
Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested - The US Justice Department announced on Wednesday that the massive 911 S5 proxy botnet has been dismantled and its alleged administrator, a Chinese national, has been arrested. The Treasury Department earlier this week announced sanctions against ...
6 months ago Packetstormsecurity.com
Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities - Researchers have discovered an Internet of Things botnet linked with attacks against multiple US government and communications organizations. It comes built with a series of stealth mechanisms and the ability to spread further into local area ...
1 year ago Darkreading.com
New botnet malware exploits two zero-days to infect NVRs and routers - A new Mirai-based malware botnet named 'InfectedSlurs' has been exploiting two zero-day remote code execution vulnerabilities to infect routers and video recorder devices. The malware hijacks the devices to make them part of its DDoS swarm, ...
1 year ago Bleepingcomputer.com
Russian admits building now-dismantled IPStorm proxy botnet The Register - The FBI says it has dismantled another botnet after collaring its operator, who admitted hijacking tens of thousands of machines around the world to create his network of obedient nodes. Sergei Makinin, a Russian and Moldovan national, was cuffed in ...
1 year ago Theregister.com
US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon - The US government on Wednesday announced a major takedown of a botnet full of end-of-life Cisco and Netgear routers after researchers warned it was being used by Chinese state-backed hackers as a covert communications channel. The disruption comes ...
10 months ago Securityweek.com
Feds go Fancy Bear hunting, take down Russia's GRU botnet The Register - The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets. Moobot ...
10 months ago Go.theregister.com
Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet - Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting ...
1 year ago Securityweek.com
Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet - Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting ...
1 year ago Packetstormsecurity.com
US dismantles 911 S5 botnet used for cyberattacks, arrests admin - The U.S. Justice Department and international partners dismantled the 911 S5 proxy botnet and arrested 35-year-old Chinese national YunHe Wang, its administrator. As early as 2011, Wang and his conspirators pushed malware onto victims' devices using ...
6 months ago Bleepingcomputer.com
Chinese hackers hid in US infrastructure network for 5 years - The Chinese Volt Typhoon cyber-espionage group infiltrated a critical infrastructure network in the United States and remained undetected for at least five years before being discovered, according to a joint advisory from CISA, the NSA, the FBI, and ...
10 months ago Bleepingcomputer.com
Bigpanzi botnet infects 170,000 Android TV boxes with malware - A previously unknown cybercrime syndicate named 'Bigpanzi' has been making significant money by infecting Android TV and eCos set-top boxes worldwide since at least 2015. Beijing-based Qianxin Xlabs reports that the threat group controls a ...
11 months ago Bleepingcomputer.com
Ukrainian arrested for infecting US cloud provider with cryptomining malware - A 29-year-old hacker from the southern city of Mykolaiv is believed to have illicitly mined over $2 million in cryptocurrency over the past two years. The police said they searched the suspect's three properties, seizing his computer equipment, bank ...
11 months ago Therecord.media
Hackers Compromised Over 1,200 Redis Database Servers - A new type of malware, designed to target vulnerable Redis servers on the internet, has been spreading rapidly since September 2021. This is a quick-spreading malware, designed to operate stealthily, that has already infiltrated over thousand ...
1 year ago Cybersecuritynews.com
The Most Dangerous People on the Internet in 2023 - It was a banner year for chaos, present and impending, and all reflected in the digital mirror. Each year, WIRED assembles a list of the most dangerous people, groups, and organizations on the internet-both those who intentionally endanger innocent ...
11 months ago Wired.com
P2PInfect Botnet Is Now Targeting MIPS-Based IoT Devices - The operator behind the growing P2PInfect botnet is turning their focus to Internet of Things and routers running the MIPS chip architecture, expanding their list of targets and offering more evidence that the malware is an experienced threat actor. ...
1 year ago Securityboulevard.com
Botnet Struck U.S. Routers; Here's How to Keep Employees Safe - State-sponsored hackers affiliated with China have targeted small office/home office routers in the U.S. in a wide-ranging botnet attack, Federal Bureau of Investigation Director Christopher Wray announced on Wednesday, Jan. 31. Most of the affected ...
10 months ago Techrepublic.com
US govt sanctions cybercrime gang behind massive 911 S5 botnet - Researchers at the Canadian University of Sherbrooke revealed almost two years ago, in June 2022, that this illegitimate residential proxy service lured potential victims by offering free VPN services to install malware designed to add their IP ...
6 months ago Bleepingcomputer.com
US govt sanctions cybercrime gang behind massive 911 S5 botnet - Researchers at the Canadian University of Sherbrooke revealed almost two years ago, in June 2022, that this illegitimate residential proxy service lured potential victims by offering free VPN services to install malware designed to add their IP ...
6 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)