cyware: Research Unearths RUBYCARP’s Multi-Miner Assault on Crypto

Summary: A recent research study has revealed the activities of a Romanian cyber threat group known as RUBYCARP, which engages in cryptocurrency mining, phishing, and the development and sale of cyber weapons.

Threat Actor: RUBYCARP | RUBYCARP
Victim: Various victims, including Danish users | RUBYCARP victims

Key Points:

  • RUBYCARP deploys multiple cryptocurrency miners simultaneously to reduce attack time and detection likelihood.
  • The group conducts phishing operations, targeting victims with templates impersonating logistics companies.
  • RUBYCARP is involved in the development and sale of cyber weapons.
  • The group communicates through IRC and mentors newcomers to the cyber threat scene.
  • Defending against RUBYCARP requires diligent vulnerability management, a robust security posture, and runtime threat detection.

A recent research study has shed light on the decade-long activities of a Romanian cyber threat group known as RUBYCARP, which uses techniques such as cryptocurrency mining and phishing.

One of the key findings from the technical write-up, published by Sysdig today, is the group’s use of a script capable of simultaneously deploying multiple cryptocurrency miners. 

By executing these miners concurrently, RUBYCARP reduces both the time required for the attack and the likelihood of detection. The script primarily targets XMRig/Monero miners and was previously hosted on a now-defunct domain, “download[.]c3bash[.]org.”

Further evidence suggests that RUBYCARP also conducts phishing operations to steal valuable financial assets, including credit card numbers. 

The researchers uncovered a phishing template targeting Danish users, impersonating the logistics company Bring. Moreover, a PHP script named “ini.inc” was identified as the tool used to send these phishing emails, with compromised email accounts linked to the attacks.

Further analysis of the group’s activities uncovered a variety of tools and techniques, including the use of specific commands within shell bot code to send phishing emails. The researchers also found evidence of a potential phishing landing page targeting European entities, including Swish Bank and Nets Bank, among others.

The study also highlights RUBYCARP’s involvement in the development and sale of cyber weapons.

Read more on such weapons: Russian Hacking Group Sandworm Linked to Unprecedented Attack on Danish Critical Infrastructure

“Attribution is always difficult, but they are most likely Romanian and may have some crossover with the ‘Outlaw APT’ group and others who leverage the Perl Shellbot. These threat actors are also involved in the development and sale of cyber weapons, which isn’t very common,” reads the advisory.

According to the security experts, communication among threat actors has remained broadly consistent over the years, with IRC remaining highly popular. Additionally, the community dynamic within RUBYCARP is noteworthy, as it involves mentoring newcomers to the scene. This aspect also offers financial advantages to the group, as it can later sell the toolset it has developed to them.

“While RUBYCARP targets known vulnerabilities and conducts brute force attacks, what makes it more dangerous is its post-exploitation tools and the breadth of its capabilities,” Sysdig warned. “Defending against this group requires diligent vulnerability management, a robust security posture and runtime threat detection.”

Source: https://www.infosecurity-magazine.com/news/rubycarps-multi-miner-assault/


“An interesting youtube video that may be related to the article above”