The Sysdig Threat Research Team has uncovered a Romanian cybercriminal group it believes has been operational for at least ten years. The researchers have named the group RubyCarp.
This raises two immediate questions: why do they believe the group is Romanian, and how can a criminal group be undiscovered for ten years? SecurityWeek spoke to Michael Clark, director of threat research, and Crystal Morin, cybersecurity strategist at Sysdig, for further information. Sysdig has also published a report on the subject.
It isn’t that RubyCarp’s activities have necessarily never been seen, but that the visible aspects of their methodology are similar to many other criminal groups. Attribution difficulties may have cloaked their separate existence. Clark noted, for example, certain similarities with the Androxgh0st group since both chose to exploit Laravel. However, the level of detail now discovered by Sysdig makes the researchers confident that RubyCarp is a distinct cybercriminal group.
The reasons for RubyCarp’s long invisibility are multiple. Firstly, the group’s members are just quietly going about their business. “They’re not trying to hurt anyone,” said Clark. “They’re just trying to make a few extra bucks. They’re not some big flashy ransomware gang that will attract the attention of the FBI with demands for millions of dollars – they’re just trying to pad their pockets with a few extra dollars every month.” Over ten years (or more) this will add up.
The second reason is that while the group hasn’t been hiding its work, it has been hiding its proprietary tools — but not necessarily from Sysdig’s honeypot. RubyCarp has developed its own suite of tools; and the discovery of these proprietary tools is a primary factor for calling it out as a specific criminal group. The result is a curious mix of nonchalance and sophistication.
The group, which is perhaps better described as a community, revolves around a small core (probably including the primary tool developer). The wider community communicates with each other over both public and private IRC channels. Each channel has its own admin, such as ‘juice’, ‘MUIE’, and ‘Smelter’. These are probably members of the core RubyCarp team. The multiple members are probably better described as criminal users of RubyCarp. The core both sells its tools and provides instructions on their use to this community.
RubyCarp has its own botnet, its own tools, and its own community of users that concentrate on cryptomining and credential phishing. “What’s important and significant is the level of access we have,” said Morin. “Being able to understand and find this many individuals and their communications, and an entire tool suite, isn’t common.”
In one of the IRC channels, the researchers found a link to the University of Chemical Technology and Metallurgy in Bulgaria. “The subdomain physics.uctm[.]edu appears to be compromised by RUBYCARP and contains detailed instructions and information on the tools used and the cryptominer configuration,” say the researchers. From these details, Sysdig has concluded that the RubyCarp primary developer is the user character who signs as ‘dog’.
The IRC channels also provide the main indication that RubyCarp is Romanian. It’s not definitive proof on its own, but Romanian and English are the only two languages used by the community.
At the time of writing, Sysdig still has access to RubyCarp. Whether this will continue after the researchers’ current revelations remains to be seen. However, it is surprising that Sysdig’s presence was either unknown or simply tolerated for so long. Clark suspects the former.
“Operational security is not usually a strong point for non-nation state hacker groups,” said Clark. “They’re probably not looking for intruders, and I don’t think they are particularly concerned about the prospect.”
But he added, “They made things difficult at times. They know their community, so they know who should be there and who shouldn’t be there at specific times; but there are limitations to what they can accomplish with IRC-based command and control and some of the other infrastructure they’re using to distribute files and things like that.”
If they’re not worried about being arrested (Sysdig’s report does not dox the core group), they may choose not to change anything, and simply learn to tolerate and cope with intruder researchers. “If you’re a criminal actor, and especially like this group where they are willing to help, share and teach newcomers, you’re not necessarily going to kick out anybody you don’t know. You’re hoping to grow and share what they’ve done with other criminal actors.”
Whether the group will remain nonchalant when Sysdig starts to publish an analysis of its tools – already in preparation – remains to be seen. But also unknown is the number of similar criminal gangs around the world who remain undetected – not through their own high security, but simply through being unnoticeable by maintaining a low profile.
Related: Ongoing Azure Cloud Account Takeover Campaign Targeting Senior Personnel
Related: Google Cloud Now Offering $1 Million Cryptomining Protection
Related: Sysdig Raises $350 Million at $2.5 Billion Valuation
Related: Sysdig Launches Realtime Attack Graph for Cloud Environments
