Sysdig digs up a ransomware gang in stealth for over a decade
- by nlqip
Laravel is a free and open-source PHP-based web framework for building high-end web applications. This vulnerability allows unauthenticated attackers to execute arbitrary codes on the affected systems.
The threat actor’s exploitation of the Laravel applications also led Sysdig to evidence that the group was using secure shell (SSH) brute forcing as another way the group gained access to its targets.
“Recently, we also discovered evidence of the threat actor targeting WordPress sites using dumps of usernames and passwords. RUBYCARP continues to add new exploitation techniques to its arsenal in order to build its botnets,” Sysdig added.
The gang has gone under the radar for a long time, and Sysdig’s TRT is seemingly the first to uncover them. “TRT found their public ICS chats when they got access, so there’s insight into how the team brought on new potential hackers and trained them around the tooling and approach that the gang used too,” Sysdig said.
Financially motivated threat actor
Once access is obtained, a backdoor is installed based on the popular Perl Shellbot, Sysdig explained. The victim’s server is then connected to an IRC server acting as command and control (C2) and joins the larger botnet.
“During RUBYCARP’s reconnaissance phase, we found 39 variants of the Perl file (shellbot), but only eight were in VirusTotal. This means that only a few campaigns were previously detected,” the company added.
Source link
lol
Laravel is a free and open-source PHP-based web framework for building high-end web applications. This vulnerability allows unauthenticated attackers to execute arbitrary codes on the affected systems. The threat actor’s exploitation of the Laravel applications also led Sysdig to evidence that the group was using secure shell (SSH) brute forcing as another way the group…
Recent Posts
- Fraud network uses 4,700 fake shopping sites to steal credit cards
- CISA warns of more Palo Alto Networks bugs exploited in attacks
- New Glove infostealer malware bypasses Chrome’s cookie encryption
- New Glove Stealer malware bypasses Chrome’s cookie encryption
- Stellar Startup Data Center Tech Vendors To Know In 2024