RUBYCARP: A Detailed Analysis of a Sophisticated Decade-Old Botnet Group

RUBYCARP, a Romanian threat actor group operating for over a decade, utilizes botnets for financial gain through activities such as cryptomining, phishing, and Distributed Denial of Service (DDoS) attacks. The Sysdig Threat Research Team reports that RUBYCARP exploits public vulnerabilities and performs brute force attacks, frequently using a Perl-based Shellbot for post-exploitation activities. The group communicates and coordinates operations through IRC networks, maintaining a significant infrastructure of rotating malicious IPs and domains to evade detection. RUBYCARP's operations include targeting vulnerable Laravel and WordPress applications, with a diversified portfolio of tools and techniques that complicate attribution, often overlapping with other threat actors like the Outlaw APT. Their cybercriminal activities extend to crafting phishing campaigns aimed at European entities to steal financial information, while also developing and distributing custom cyber tools within their community. The group's resilience and adaptability highlight the necessity of robust security measures and threat detection strategies to combat their activities.