A Deep Dive into RUBYCARP: The Romanian Cyber Threat Group
Recent research has brought to light the extensive activities of a Romanian cyber threat group known as RUBYCARP, which employs various tactics such as cryptocurrency mining and phishing to achieve its malicious objectives.
The Tactics Used by RUBYCARP
One of the notable discoveries from a technical analysis, released by Sysdig, is the group’s utilization of a script capable of deploying multiple cryptocurrency miners simultaneously. By running these miners concurrently, RUBYCARP effectively reduces the time taken for the attack and minimizes the chances of detection. The script predominantly targets XMRig/Monero miners and was previously hosted on a defunct domain, “download[.]c3bash[.]org.”
Aside from cryptocurrency mining, RUBYCARP is also involved in phishing operations aimed at stealing valuable financial assets, including credit card numbers. The researchers came across a phishing template that was targeting Danish users, masquerading as the logistics company Bring. Furthermore, a PHP script named “ini.inc” was identified as the tool used for sending these phishing emails, with compromised email accounts being linked to the attacks.
The Tools and Techniques of RUBYCARP
Further investigation into the group’s activities revealed a range of tools and techniques, including the use of specific commands within shell bot code for sending phishing emails. Additionally, evidence of a potential phishing landing page targeting European entities like Swish Bank and Nets Bank was uncovered.
Moreover, the study sheds light on RUBYCARP’s involvement in the development and sale of cyber weapons, a practice that is not commonly observed in threat actor groups. The advisory suggests that the group likely has ties to the ‘Outlaw APT’ group and other entities leveraging the Perl Shellbot.
Community Dynamics and Threat Actor Communication
Communication among threat actors within RUBYCARP has remained consistent over the years, with IRC channels being a popular mode of interaction. Notably, the group exhibits a mentoring dynamic, where newcomers are guided and eventually enticed into purchasing the toolset developed by RUBYCARP.
According to security experts, defending against RUBYCARP requires diligent vulnerability management, a robust security posture, and real-time threat detection. The group’s post-exploitation tools and wide-ranging capabilities make it a potent threat in the cybersecurity landscape.
For more insights on cyber threats and security, stay tuned to our platform for the latest updates and analysis.