A recent research study has shed light on the decade-long activities of a Romanian cyber threat group known as RUBYCARP, which uses techniques such as cryptocurrency mining and phishing.
One of the key findings from the technical write-up, published by Sysdig today, is the group’s use of a script capable of simultaneously deploying multiple cryptocurrency miners.
By executing these miners concurrently, RUBYCARP reduces both the time required for the attack and the likelihood of detection. The script primarily targets XMRig/Monero miners and was previously hosted on a now-defunct domain, “download[.]c3bash[.]org.”
Further evidence suggests that RUBYCARP also conducts phishing operations to steal valuable financial assets, including credit card numbers.
The researchers uncovered a phishing template targeting Danish users, impersonating the logistics company Bring. Moreover, a PHP script named “ini.inc” was identified as the tool used to send these phishing emails, with compromised email accounts linked to the attacks.
Further analysis of the group’s activities uncovered a variety of tools and techniques, including the use of specific commands within shell bot code to send phishing emails. The researchers also found evidence of a potential phishing landing page targeting European entities, including Swish Bank and Nets Bank, among others.
The study also highlights RUBYCARP’s involvement in the development and sale of cyber weapons.
“Attribution is always difficult, but they are most likely Romanian and may have some crossover with the ‘Outlaw APT’ group and others who leverage the Perl Shellbot. These threat actors are also involved in the development and sale of cyber weapons, which isn't very common,” reads the advisory.
According to the security experts, communication among threat actors has remained broadly consistent over the years, with IRC remaining highly popular. Additionally, the community dynamic within RUBYCARP is noteworthy, as it involves mentoring newcomers to the scene. This aspect also offers financial advantages to the group, as it can later sell the toolset it has developed to them.
“While RUBYCARP targets known vulnerabilities and conducts brute force attacks, what makes it more dangerous is its post-exploitation tools and the breadth of its capabilities,” Sysdig warned. “Defending against this group requires diligent vulnerability management, a robust security posture and runtime threat detection."