RUBYCARP the SSH Brute Botnet Resurfaces With New Tools

The cybersecurity community is again on high alert as the notorious botnet group RUBYCARP, known for its SSH brute force attacks, has resurfaced with new tools and tactics.

The Sysdig Threat Research Team (Sysdig TRT) has been closely monitoring the activities of this Romanian threat actor group, which has been active for over a decade and has recently uncovered significant developments in its operations.

CVE-2021-3129: A Gateway for RUBYCARP

At the heart of RUBYCARP’s resurgence is exploiting a critical vulnerability in Laravel applications, CVE-2021-3129.

This vulnerability has been a focal point for the group’s targeting and exploitation efforts, allowing them to gain unauthorized access to systems and expand their botnet.

In addition to exploiting CVE-2021-3129, RUBYCARP has been using SSH brute force attacks to enter target networks.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The group’s persistence and evolution of tactics underscore the importance of patching known vulnerabilities and strengthening SSH security measures to thwart such attacks.

The latest findings from Sysdig TRT indicate that RUBYCARP has not only continued its traditional brute force and exploitation activities but also added new techniques to its repertoire.

The group now utilizes a backdoor based on the popular Perl Shellbot, connecting victim servers to an IRC server that acts as command and control, thereby joining the more giant botnet.

RUBYCARP continues to add new exploitation techniques to its arsenal to build its botnets

RUBYCARP’s toolset has expanded, with the discovery of 39 Perl file (shellbot) variants, although only eight were previously detected by VirusTotal.

The group’s communication strategies have also evolved. They use public and private IRC networks to manage their botnets and coordinate crypto-mining campaigns.

The group has been actively involved in crypto mining operations, using its pools hosted on the exact domains as their IRC servers.

This strategy allows them to evade detection from IP-based blocklists and utilize standard and random ports for further stealth.

Diversified Cryptocurrency Mining

The group has not limited itself to a single cryptocurrency; instead, it engages in mining operations for Monero, Ethereum, and Ravencoin.

The Ravencoin wallet associated with RUBYCARP has been particularly active, with over $22,800 received in transactions.

user “porno” claimed to have gained 0.00514903 BTC, around USD 360, within 24 hours

Beyond crypto mining, RUBYCARP has been executing sophisticated phishing operations to steal financially valuable assets, such as credit card numbers.

Evidence suggests that the group uses these stolen assets to fund its infrastructure and possibly for resale.

Phishing templates impersonating legitimate European companies, such as the Danish logistics company “Bring,” have been identified in RUBYCARP’s attacks.

Identified a phishing template (letter.html) targeting Danish users and impersonating the Danish logistics company “Bring.”

The group targets European entities, including banks and logistics companies, to collect payment information.

The resurgence of RUBYCARP with new tools and techniques is a stark reminder of the persistent threat posed by sophisticated cybercriminal groups.

Defending against such actors requires a proactive approach to vulnerability management, robust security postures, and advanced runtime threat detection capabilities.

As the cybersecurity community continues to grapple with the challenges posed by groups like RUBYCARP, organizations must remain vigilant and prepared to respond to the evolving threat landscape.

For more information on RUBYCARP and to stay updated on the latest cybersecurity threats, follow our dedicated news coverage and expert analysis. Stay safe and informed in the digital age.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range of…

4 hours ago

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting U.S.…

13 hours ago

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the notorious…

14 hours ago

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool in…

17 hours ago

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks, leveraging…

18 hours ago

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term…

19 hours ago