A recent research study has uncovered the activities of a Romanian cyber threat group called RUBYCARP, which engages in cryptocurrency mining and phishing techniques. The findings, as detailed in a technical write-up by Sysdig, reveal the group’s use of a script that deploys multiple cryptocurrency miners simultaneously. This tactic not only speeds up the attack but also minimizes the chances of detection. RUBYCARP primarily targets XMRig/Monero miners and previously hosted the script on a now-defunct domain, “download[.]c3bash[.]org.”
In addition to cryptocurrency mining, RUBYCARP is involved in phishing operations aimed at stealing valuable financial assets like credit card numbers. The researchers identified a phishing template targeting Danish users, posing as the logistics company Bring. The group utilizes a PHP script named “ini.inc” to send these phishing emails, using compromised email accounts in the process.
Further investigation into RUBYCARP’s activities uncovered a range of tools and techniques, including specific commands within shell bot code for sending phishing emails. The researchers also discovered a potential phishing landing page targeting European entities such as Swish Bank and Nets Bank. Moreover, the study highlights RUBYCARP’s role in developing and selling cyber weapons.
Communication within the group has been consistent over the years, with IRC remaining a popular platform for interaction. The community dynamic within RUBYCARP involves mentoring newcomers, which not only strengthens the group but also provides financial benefits as they can later sell their developed toolset to others.
While RUBYCARP targets known vulnerabilities and employs brute force attacks, its post-exploitation tools and capabilities make it particularly dangerous. Sysdig advises that defending against this group requires vigilant vulnerability management, a strong security posture, and runtime threat detection measures. It is essential to stay proactive and prepared in the face of evolving cyber threats like RUBYCARP.