A threat research team (TRT) of cloud security software provider Sysdig, has discovered a Romania-based ransomware group, which it now tracks as Rubycarp, that has been active for a decade.
The threat actor, as discovered by Sysdig, operates primarily by deploying a botnet using a variety of public exploits and brute force attacks.
“This group communicates via public and private internet relay chat (IRC) networks, develops cyber weapons and targeting data, and uses its botnet for financial gain via multiple methods,” Sysdig said in a report on the findings.
Rubycarp’s attribution has been difficult for years because of the tools and targeting used by the group, as pointed out by Sysdig. “Rubycarp leverages Shellbot often during its operations, which can also cause attribution confusion since this tool is a common choice among threat actors,” the company added.
Laravel exploit for initial access
Rubycarp was discovered as a result of the threat actor attacking Sysdig’s honeypots within their customer networks when the former attempted to target and exploit a vulnerability in the Laravel applications (CVE-2021-3129).
“In the recent advisory from CISA, the Androxgh0st threat actor’s choice to exploit Laravel is discussed,” Sysdig said. “This is another example of cybercriminal overlap, with Rubycarp notably targeting the same framework vulnerabilities. Many of these threat actors are fighting it out over the same target space, making it difficult to attribute attacks.”
Laravel is a free and open-source PHP-based web framework for building high-end web applications. This vulnerability allows unauthenticated attackers to execute arbitrary codes on the affected systems.
The threat actor’s exploitation of the Laravel applications also led Sysdig to evidence that the group was using secure shell (SSH) brute forcing as another way the group gained access to its targets.
“Recently, we also discovered evidence of the threat actor targeting WordPress sites using dumps of usernames and passwords. RUBYCARP continues to add new exploitation techniques to its arsenal in order to build its botnets,” Sysdig added.
The gang has gone under the radar for a long time, and Sysdig’s TRT is seemingly the first to uncover them. “TRT found their public ICS chats when they got access, so there’s insight into how the team brought on new potential hackers and trained them around the tooling and approach that the gang used too,” Sysdig said.
Financially motivated threat actor
Once access is obtained, a backdoor is installed based on the popular Perl Shellbot, Sysdig explained. The victim’s server is then connected to an IRC server acting as command and control (C2) and joins the larger botnet.
“During RUBYCARP’s reconnaissance phase, we found 39 variants of the Perl file (shellbot), but only eight were in VirusTotal. This means that only a few campaigns were previously detected,” the company added.
Rubycarp, according to the findings, is interested in payloads that enable financial gains, including cryptomining, DDoS, Phishing, and ransomware campaigns.
“RUBYCARP uses its own pools for mining that are hosted on the same domains where it has created the IRC server to control the bots,” Sysdig said. “These custom mining pools allow it to avoid detection from IP-based blocklists, and the usage of common and random ports provides another layer of stealth from simple detection systems.”
The gang also runs phishing campaigns to target credit cards. According to the logs analyzed by Sysdig, the threat actor is using this to fund its infrastructure, but Rubycarp may use it for other purposes or even to sell.
“While RUBYCARP targets known vulnerabilities and conducts brute force attacks, what makes it more dangerous is its post-exploitation tools and the breadth of its capabilities (i.e., Phishing),” the company said. “Defending against this group requires diligent vulnerability management, a robust security posture, and runtime threat detection.”