Laravel is a free and open-source PHP-based web framework for building high-end web applications. This vulnerability allows unauthenticated attackers to execute arbitrary codes on the affected systems.
The threat actor’s exploitation of the Laravel applications also led Sysdig to evidence that the group was using secure shell (SSH) brute forcing as another way the group gained access to its targets.
“Recently, we also discovered evidence of the threat actor targeting WordPress sites using dumps of usernames and passwords. RUBYCARP continues to add new exploitation techniques to its arsenal in order to build its botnets,” Sysdig added.
The gang has gone under the radar for a long time, and Sysdig’s TRT is seemingly the first to uncover them. “TRT found their public ICS chats when they got access, so there’s insight into how the team brought on new potential hackers and trained them around the tooling and approach that the gang used too,” Sysdig said.
Financially motivated threat actor
Once access is obtained, a backdoor is installed based on the popular Perl Shellbot, Sysdig explained. The victim’s server is then connected to an IRC server acting as command and control (C2) and joins the larger botnet.
“During RUBYCARP’s reconnaissance phase, we found 39 variants of the Perl file (shellbot), but only eight were in VirusTotal. This means that only a few campaigns were previously detected,” the company added.