RUBYCARP: A Detailed Analysis of a Sophisticated Decade-Old Botnet Group

Sysdig TRT documents a long-running Romanian botnet dubbed RUBYCARP that compromises servers via Laravel CVE-2021-3129 exploits, SSH brute-force and credential dumps, installs a Perl Shellbot backdoor, and uses IRC channels for command-and-control to run cryptomining and phishing operations. The group automates scanning (masscan), tool deployment (custom C3Bash script, NanoMiner, XMRig), and rotates domains/IPs and private IRC servers (e.g., chat.juicessh.pro) to evade detection. #RUBYCARP #Shellbot

Keypoints

Initial access: RUBYCARP exploits Laravel vulnerability CVE-2021-3129, performs SSH brute-force, and leverages leaked username/password dumps to compromise hosts.
Backdoor & C2: After compromise they install variants of a Perl Shellbot backdoor that connects infected hosts to public and private IRC servers (e.g., chat.juicessh.pro, sshd.run) as botnet C2.
Pre‑exploit reconnaissance: The group uses mass scanning tools (masscan, banner) and brute utilities to find vulnerable targets and open services.
Post‑exploitation tooling: Actors deploy miners (NanoMiner, XMRig, custom “miner”/C3Bash), custom ELF binaries (e.g., plm), and other bespoke tools distributed via scripts and domains.
Monetization: They run private mining pools on rotated domains/ports, exchange wallet data, and conduct phishing campaigns (email templates, send scripts) to harvest payment credentials.
Operational hygiene: Infrastructure is frequently rotated and stripped after researcher activity; campaigns use channel/user naming schemes and access controls within IRC to limit detection.

MITRE Techniques

[T1190] Exploit Public-Facing Application – Exploited Laravel CVE-2021-3129 to gain access (‘targeting and exploitation of Laravel applications vulnerable to CVE-2021-3129’).
[T1110] Brute Force – Performed SSH brute forcing to obtain credentials and access hosts (‘evidence of SSH Brute forcing as another way the group gained access’).
[T1046] Network Service Scanning – Used mass scanning tools to discover targets (‘Mass Scanner (masscan), a tool omnipresent within its pre-exploitation activities’).
[T1105] Ingress Tool Transfer – Delivered and installed backdoors and miners via downloaded scripts and domains (‘Once access is obtained, a backdoor is installed based on the popular Perl Shellbot’ and hosted setup scripts/domains).
[T1071] Application Layer Protocol – Used IRC channels and servers for command-and-control communications and bot management (‘connected to an IRC server acting as command and control’ and private/public IRC networks like chat.juicessh.pro).
[T1566] Phishing – Created and sent phishing templates and mail-sending scripts to harvest financial data (‘phishing template (letter.html)’ and a PHP script ‘ini.inc’ used to send those phishing emails’).
[T1496] Resource Hijacking – Abused compromised hosts to run cryptocurrency miners and custom mining pools (‘uses its botnet for financial gain via cryptomining’ and runs private mining pools like juicessh[.]space:443′).

Indicators of Compromise

[Domain] C2/mining/infrastructure – chat.juicessh.pro, juicessh[.]space, sshd[.]baselinux[.]net, and other rotated domains.
[IP Address] Infrastructure and mining endpoints – 91[.]208.206.118:443, 194[.]163.141.243:4430, and other malicious IPs used for pools/C2.
[File name] Phishing and setup artifacts – letter.html (phishing template), ini.inc (PHP mailer), remote_code.zip (phishing assets), and plm (malicious ELF referenced in campaigns).
[Tool/Binary] Scanning/mining tools observed – masscan (scanning), NanoMiner and XMRig (miners), and custom C3Bash ‘miner’ script used to install/run miners.
[Email addresses/domains] Phishing sender accounts – test@lufaros[.]com, maria@cenacop[.]com (domains used as sender addresses; lufaros[.]com marked malicious on VirusTotal).

RUBYCARP technical procedure (concise)

RUBYCARP gains initial access by scanning wide address ranges with masscan and banner grabs to find exposed services, then exploits Laravel CVE-2021-3129, conducts SSH brute-force, or imports leaked credential dumps (WordPress/SSH) to authenticate. After access, operators transfer and execute tooling via hosted scripts and domains—installing a Perl-based Shellbot backdoor that automatically connects compromised hosts to IRC channels (public and private) for command-and-control; each campaign uses dedicated channels and naming schemes to group bots and limit unwanted access.

Post-exploitation, the group deploys a suite of tools (custom ELF binaries like ‘plm’, miners such as NanoMiner and XMRig, and the C3Bash orchestration script) by downloading them from attacker-controlled domains. C3Bash automates miner installation, background execution, CPU throttling advice, and persistence checks, enabling concurrent miners and stealthy operations; operators also run private mining pools on rotated domains/ports to collect payouts. Additionally, RUBYCARP uses IRC-integrated commands and PHP/mail scripts (e.g., ini.inc) and phishing templates (letter.html, remote_code.zip assets) to harvest payment credentials and distribute malicious landing pages, then rapidly rotate domains/IPs and purge infrastructure when researcher activity is detected.