RUBYCARP the SSH Brute Botnet Resurfaces With New Tools

The cybersecurity community is again on high alert as the notorious botnet group RUBYCARP, known for its SSH brute force attacks, has resurfaced with new tools and tactics.

The Sysdig Threat Research Team (Sysdig TRT) has been closely monitoring the activities of this Romanian threat actor group, which has been active for over a decade and has recently uncovered significant developments in its operations.

CVE-2021-3129: A Gateway for RUBYCARP

At the heart of RUBYCARP’s resurgence is exploiting a critical vulnerability in Laravel applications, CVE-2021-3129.

This vulnerability has been a focal point for the group’s targeting and exploitation efforts, allowing them to gain unauthorized access to systems and expand their botnet.

In addition to exploiting CVE-2021-3129, RUBYCARP has been using SSH brute force attacks to enter target networks.

Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

Try Free Demo

The group’s persistence and evolution of tactics underscore the importance of patching known vulnerabilities and strengthening SSH security measures to thwart such attacks.

The latest findings from Sysdig TRT indicate that RUBYCARP has not only continued its traditional brute force and exploitation activities but also added new techniques to its repertoire.

The group now utilizes a backdoor based on the popular Perl Shellbot, connecting victim servers to an IRC server that acts as command and control, thereby joining the more giant botnet.

RUBYCARP’s toolset has expanded, with the discovery of 39 Perl file (shellbot) variants, although only eight were previously detected by VirusTotal.

The group’s communication strategies have also evolved. They use public and private IRC networks to manage their botnets and coordinate crypto-mining campaigns.

The group has been actively involved in crypto mining operations, using its pools hosted on the exact domains as their IRC servers.

This strategy allows them to evade detection from IP-based blocklists and utilize standard and random ports for further stealth.

Diversified Cryptocurrency Mining

The group has not limited itself to a single cryptocurrency; instead, it engages in mining operations for Monero, Ethereum, and Ravencoin.

The Ravencoin wallet associated with RUBYCARP has been particularly active, with over $22,800 received in transactions.

Beyond crypto mining, RUBYCARP has been executing sophisticated phishing operations to steal financially valuable assets, such as credit card numbers.

Evidence suggests that the group uses these stolen assets to fund its infrastructure and possibly for resale.

Phishing templates impersonating legitimate European companies, such as the Danish logistics company “Bring,” have been identified in RUBYCARP’s attacks.

The group targets European entities, including banks and logistics companies, to collect payment information.

The resurgence of RUBYCARP with new tools and techniques is a stark reminder of the persistent threat posed by sophisticated cybercriminal groups.

Defending against such actors requires a proactive approach to vulnerability management, robust security postures, and advanced runtime threat detection capabilities.

As the cybersecurity community continues to grapple with the challenges posed by groups like RUBYCARP, organizations must remain vigilant and prepared to respond to the evolving threat landscape.

For more information on RUBYCARP and to stay updated on the latest cybersecurity threats, follow our dedicated news coverage and expert analysis. Stay safe and informed in the digital age.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.