Romania-linked ‘Rubycarp’ hackers look for cryptomining, phishing DDoS opportunities

A suspected Romanian cybercrime group remains active after more than a decade of operation and currently specializes in cryptomining, phishing campaigns and DDoS attacks, according to cybersecurity researchers.

The group, labeled Rubycarp, may be related to another alleged Romanian threat actor with similar activities called Outlaw, said analysts from the Sysdig Threat Research Team. Overlaps with other groups are possible, according to the report.

In addition to financial operations, the groups are also involved in the development and sale of cyberweapons, "which isn’t very common,” the researchers said.

“Many of these threat actors are fighting it out over the same target space, making it difficult to attribute attacks,” Sysdig said. 

The researchers said Rubycarp mostly targets known vulnerabilities and conducts brute force attacks, where an attacker tries to gain access to a victim’s system by trying all possible combinations of usernames or passwords until they find the correct one.

What makes the group dangerous, according to researchers, are its post-exploitation tools and “the breadth of its capabilities.”

Rubycarp’s infrastructure includes many internet domains that are regularly rotated and often replaced and emptied of malicious content as soon as any potential research activity is detected, according to the report.

The group’s latest campaigns include targeting and exploiting the Laravel framework, which developers use to build web applications, via a vulnerability tracked as CVE-2021-3129. That kind of activity was associated with a different operation, Androxgh0st, that was the subject of an alert by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) earlier this year.

The analysts also recently discovered evidence of attacks on WordPress sites, using previously available dumps of compromised usernames and passwords.

Rubycarp currently operates a botnet, which has compromised over 600 servers. Once hackers obtain access to the targeted network, they infect it with a Perl Shellbot backdoor and connect the victim’s server to a command-and-control server so it can join the larger botnet.

For illicit cryptomining — when attackers quietly use an infected system to mine for cryptocurrency — Rubycarp uses several types of miners and and sends the proceeds quietly to various digital wallets. Some miners, such as NanoMiner and XMrig, are well-known, while others, such as the one researchers named C3Bash, are custom-made.

During its phishing operations, Rubycarp steals financially valuable assets such as credit card numbers. The hackers are likely using this money to fund their infrastructure or possibly to sell on darknet forums, researchers said.

In a December 2023 hack, the group targeted Danish users and impersonated the Danish logistics company Bring. Researchers have identified 36 text files containing hundreds of Danish email addresses that were potentially targeted with phishing.

Other Rubycarp phishing targets include European entities such as Swish Bank and Nets Bank, Sysdig said.

Another interesting aspect of the group, according to the researchers, is that Rubycarp helps mentor people who are new to the cybercrime scene. “This does provide some financial benefits to the group since it can then sell them the toolset that it has made,” researchers said.