BleepingComputer reports that intrusions involving known security flaws and brute force tactics have been deployed by Romanian threat operation RUBYCARP for at least a decade, with the group currently operating a botnet with more than 600 breached servers.
After several months of targeting Laravel apps impacted by the remote code execution flaw, tracked as CVE-2021-3129, RUBYCARP has transitioned to brute-force attacks against SSH servers to distribute a shellbot payload that would make the server a part of its botnet infrastructure, according to a report from the Sysdig Threat Research Team.
Moreover, cryptocurrency miners XMRig, NanoMiner, and C2Bash have been used by the threat group to exfiltrate cryptocurrency assets, said researchers. The findings also showed that aside from engaging in phishing attacks involving emails spoofing European financial and logistics entities to facilitate financial data theft, RUBYCARP has also entered the business of cyber weapon development and trade.