RUBYCARP's cyber arsenal includes over 600 infected servers and an extensive set of malicious tools.
A group of cybercriminals from Romania, codenamed "RUBYCARP", uses known vulnerabilities and brute-force methods to hack into corporate networks and servers for financial gain. This is stated in a recent report by Sysdig. RUBYCARP currently operates a botnet that has more than 600 infected servers running through private IRC channels.
The researchers found 39 variations in the payload of the Perl-based RUBYCARP botnet, but only 8 of them were detected on VirusTotal at the time of the report's release. Experts also noted that this group of cybercriminals has been active for more than a decade.
In addition, the report mentions that there are some links between RUBYCARP and the Outlaw APT group, although these links are weak, based primarily on the common tactics used by their botnets.
The latest RUBYCARP malware campaign included targeted attacks against Laravel applications through the remote code execution vulnerability CVE-2021-3129, as well as brute-forcing SSH servers and attacks on WordPress sites using account databases.
After installing malware on an infected server, it then connects to an IRC-based C2 server and becomes part of the botnet. The researchers identified three separate botnet clusters - "Juice", "Cartier" and "Aridan", each of which is probably used for different purposes.
Infected devices can be used to launch distributed denial-of-service (DDoS) attacks, phishing, financial fraud, and cryptocurrency mining. RUBYCARP uses NanoMiner, XMRig, and its own C2Bash development to mine cryptocurrencies such as Monero, Ethereum, and Ravencoin, using the victims ' computing power.
The group also uses phishing to steal financial information by deploying ready-made phishing templates on infected servers. So, in the latest campaign, hackers used templates aimed at European companies, including Swiss Bank, Nets Bank and Bring Logistics.
Despite the fact that RUBYCARP is not one of the largest botnet operators, the group's ability to operate almost unnoticed for more than a decade indicates a high level of secrecy and operational security.
In addition to managing the botnet, Sysdig reports that the group also develops and sells hacking tools, which indicates the extensive arsenal of malware at their disposal.
A group of cybercriminals from Romania, codenamed "RUBYCARP", uses known vulnerabilities and brute-force methods to hack into corporate networks and servers for financial gain. This is stated in a recent report by Sysdig. RUBYCARP currently operates a botnet that has more than 600 infected servers running through private IRC channels.
The researchers found 39 variations in the payload of the Perl-based RUBYCARP botnet, but only 8 of them were detected on VirusTotal at the time of the report's release. Experts also noted that this group of cybercriminals has been active for more than a decade.
In addition, the report mentions that there are some links between RUBYCARP and the Outlaw APT group, although these links are weak, based primarily on the common tactics used by their botnets.
The latest RUBYCARP malware campaign included targeted attacks against Laravel applications through the remote code execution vulnerability CVE-2021-3129, as well as brute-forcing SSH servers and attacks on WordPress sites using account databases.
After installing malware on an infected server, it then connects to an IRC-based C2 server and becomes part of the botnet. The researchers identified three separate botnet clusters - "Juice", "Cartier" and "Aridan", each of which is probably used for different purposes.
Infected devices can be used to launch distributed denial-of-service (DDoS) attacks, phishing, financial fraud, and cryptocurrency mining. RUBYCARP uses NanoMiner, XMRig, and its own C2Bash development to mine cryptocurrencies such as Monero, Ethereum, and Ravencoin, using the victims ' computing power.
The group also uses phishing to steal financial information by deploying ready-made phishing templates on infected servers. So, in the latest campaign, hackers used templates aimed at European companies, including Swiss Bank, Nets Bank and Bring Logistics.
Despite the fact that RUBYCARP is not one of the largest botnet operators, the group's ability to operate almost unnoticed for more than a decade indicates a high level of secrecy and operational security.
In addition to managing the botnet, Sysdig reports that the group also develops and sells hacking tools, which indicates the extensive arsenal of malware at their disposal.
