Tuesday, October 15, 2024
HomeBotnetRUBYCARP the SSH Brute Botnet Resurfaces With New Tools

RUBYCARP the SSH Brute Botnet Resurfaces With New Tools

Published on

Malware protection

The cybersecurity community is again on high alert as the notorious botnet group RUBYCARP, known for its SSH brute force attacks, has resurfaced with new tools and tactics.

The Sysdig Threat Research Team (Sysdig TRT) has been closely monitoring the activities of this Romanian threat actor group, which has been active for over a decade and has recently uncovered significant developments in its operations.

CVE-2021-3129: A Gateway for RUBYCARP

At the heart of RUBYCARP’s resurgence is exploiting a critical vulnerability in Laravel applications, CVE-2021-3129.

- Advertisement - SIEM as a Service

This vulnerability has been a focal point for the group’s targeting and exploitation efforts, allowing them to gain unauthorized access to systems and expand their botnet.

In addition to exploiting CVE-2021-3129, RUBYCARP has been using SSH brute force attacks to enter target networks.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The group’s persistence and evolution of tactics underscore the importance of patching known vulnerabilities and strengthening SSH security measures to thwart such attacks.

The latest findings from Sysdig TRT indicate that RUBYCARP has not only continued its traditional brute force and exploitation activities but also added new techniques to its repertoire.

The group now utilizes a backdoor based on the popular Perl Shellbot, connecting victim servers to an IRC server that acts as command and control, thereby joining the more giant botnet.

RUBYCARP continues to add new exploitation techniques to its arsenal to build its botnets
RUBYCARP continues to add new exploitation techniques to its arsenal to build its botnets

RUBYCARP’s toolset has expanded, with the discovery of 39 Perl file (shellbot) variants, although only eight were previously detected by VirusTotal.

The group’s communication strategies have also evolved. They use public and private IRC networks to manage their botnets and coordinate crypto-mining campaigns.

The group has been actively involved in crypto mining operations, using its pools hosted on the exact domains as their IRC servers.

This strategy allows them to evade detection from IP-based blocklists and utilize standard and random ports for further stealth.

Diversified Cryptocurrency Mining

The group has not limited itself to a single cryptocurrency; instead, it engages in mining operations for Monero, Ethereum, and Ravencoin.

The Ravencoin wallet associated with RUBYCARP has been particularly active, with over $22,800 received in transactions.

user “porno” claimed to have gained 0.00514903 BTC, around USD 360, within 24 hours
user “porno” claimed to have gained 0.00514903 BTC, around USD 360, within 24 hours

Beyond crypto mining, RUBYCARP has been executing sophisticated phishing operations to steal financially valuable assets, such as credit card numbers.

Evidence suggests that the group uses these stolen assets to fund its infrastructure and possibly for resale.

Phishing templates impersonating legitimate European companies, such as the Danish logistics company “Bring,” have been identified in RUBYCARP’s attacks.

Identified a phishing template (letter.html) targeting Danish users and impersonating the Danish logistics company “Bring.”
Identified a phishing template (letter.html) targeting Danish users and impersonating the Danish logistics company “Bring.”

The group targets European entities, including banks and logistics companies, to collect payment information.

The resurgence of RUBYCARP with new tools and techniques is a stark reminder of the persistent threat posed by sophisticated cybercriminal groups.

Defending against such actors requires a proactive approach to vulnerability management, robust security postures, and advanced runtime threat detection capabilities.

As the cybersecurity community continues to grapple with the challenges posed by groups like RUBYCARP, organizations must remain vigilant and prepared to respond to the evolving threat landscape.

For more information on RUBYCARP and to stay updated on the latest cybersecurity threats, follow our dedicated news coverage and expert analysis. Stay safe and informed in the digital age.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...