A recent study has shed light on the ten-year activities of a Romanian cyber threat group that is known as Rubycarp, which uses techniques such as cryptocurrency mining and phishing.
One of the most important findings of the technical description, published today by Syigd, is the use by the group of a script that is able to implement multiple cryptocurrency miners at the same time.
By performing these miners at the same time, Rubycarp reduces both the time required for the attack and the probability of detection. The script focuses primarily on XMRIG/Monero Miners and was previously hosted on a domain that has now been destroyed, “Download[.]C3Bash[.]org. “
Furthermore, evidence suggests that Rubycarp also carries out phishing activities to steal valuable financial assets, including credit card numbers.
The researchers discovered a phishing template aimed at Danish users, who occurs as the logistics company. In addition, a PHP script with the name “Ini.inc” was identified as the tool used to send these phishing -e -mails, with compromised E -mail accounts linked to the attacks.
Further analysis of the activities of the group revealed a variety of tools and techniques, including the use of specific assignments in Shell BOT code to send phishing -e -mails. The researchers also found proof of a potential phishing landing page on, among other things, European entities, including Swish Bank and Nets Bank.
The study also emphasizes the involvement of Rubycarp in the development and sale of cyber weapons.
Read more about such weapons: Russian hacking group sandworm linked to an unprecedented attack on Danish critical infrastructure
“Allocation is always difficult, but they are most likely Romanian and perhaps have a crossover with the ‘Outlaw APT’ group and others who use the Perl Shellbot. These threat factors are also involved in the development and sale of cyber weapons, which is not very common,” reads the advice.
According to the security experts, communication between threat factors has remained consistent over the years, where IRC remains very popular. Moreover, the community dynamics within Rubycarp are remarkable, because it is about supervising newcomers on site. This aspect also offers financial benefits to the group, because it can later sell the tool set it developed for them.
“Although Rubycarp focuses on well-known vulnerabilities and brute Force attacks, what makes it more dangerous, his post-exploitation aids and the width of its possibilities,” warned Sysig. “Defense against this group requires diligent vulnerability management, a robust security posture and runtime threat detection.”