RUBYCARP: A Detailed Analysis of a Sophisticated Decade-Old Botnet Group

In the ever-evolving landscape of cybersecurity threats, the Sysdig Threat Research Team (Sysdig TRT) continues to unveil complex and persistent threats.

From the Sysdig report

Our recent discovery sheds light on a long-running botnet orchestrated by a Romanian threat actor group, aptly named RUBYCARP. Operating clandestinely for over a decade, RUBYCARP employs a multifaceted approach, utilising a botnet constructed through an array of public exploits and brute force tactics. This editorial delves into the operational intricacies of RUBYCARP, exploring its modus operandi and underlying motivations.

Motivations and Methodologies

Aligned with the prevailing trend among threat actors, RUBYCARP predominantly seeks payloads conducive to financial gain. Cryptomining, Distributed Denial of Service (DDoS), and phishing constitute its primary avenues for monetisation. Notably, RUBYCARP exhibits a penchant for diversification, harnessing an assorted arsenal of tools to exploit compromised assets. Its phishing endeavors, for instance, have targeted credit card information, emblematic of its varied illicit income streams.

Attribution Challenges

Attributing cyber threats to specific entities remains a daunting task, fraught with ambiguity. While RUBYCARP shares striking similarities with the Outlaw advanced persistent threat (APT), definitive attribution proves elusive. The utilisation of Shellbot further complicates attribution efforts, given its prevalence among threat actors. The landscape of cybercriminal activity is characterised by intersecting tools and targets, exemplified by RUBYCARP’s exploitation of Laravel vulnerabilities, akin to the tactics employed by the Androxgh0st threat actor.

Understanding RUBYCARP

Sysdig TRT’s persistent monitoring has unveiled RUBYCARP’s predilection for targeting vulnerable Laravel applications, typified by CVE-2021-3129 exploits. Additionally, evidence suggests the group’s engagement in SSH brute forcing tactics and the targeting of WordPress sites utilising compromised credentials. RUBYCARP continually augments its arsenal with novel exploitation techniques, fortifying its botnets and perpetuating its operations.

Botnet Infrastructure and Operations

Upon securing access, RUBYCARP implants a backdoor, predominantly relying on the widely-used Perl Shellbot. The compromised server establishes a connection to an IRC server, serving as a command and control hub within the expansive botnet network. Notably, our reconnaissance efforts unearthed 39 variants of the Perl file, with only a fraction detected by conventional antivirus measures. RUBYCARP meticulously safeguards its network, employing IP banning mechanisms to thwart unwanted intrusions.

Campaigns and Infrastructure

RUBYCARP’s expansive botnet encompasses over 600 compromised hosts, meticulously managed across multiple IRC networks. Notably, the group’s operational infrastructure, characterised by dynamic rotation and regular replacement, poses formidable challenges to research activities. The IRC servers, including chat.juicessh.pro and sshd.run, serve as pivotal conduits for RUBYCARP’s communication and coordination efforts.

Conclusion

In conclusion, the emergence of RUBYCARP underscores the pervasive and evolving nature of cyber threats. Sysdig TRT’s ongoing vigilance unravels the intricate workings of this sophisticated botnet group, shedding light on its operational dynamics and strategic maneuvers. As RUBYCARP continues to adapt and proliferate, collaborative efforts within the cybersecurity community are imperative to mitigate its impact and safeguard digital ecosystems against evolving threats.