Sonatype experts have discovered the pretty_color and ruby-bitcoin malicious packages in the official RubyGems repository. The malware has already been removed from the platform.
The malware hidden in the mentioned packages targeted Windows machines and replaced the addresses of any cryptocurrency wallets in the clipboard with the attackers’ wallet address. In essence, the malware helped hackers intercept transactions and steal someone else’s cryptocurrency.
The researchers write that pretty_color contained legitimate files for colorize, a well-known and reliable open source component, making it difficult to detect the threat.
The package also included a file named version.rb, which supposedly contained version metadata, but in fact contained obfuscated code designed to run a malicious script on Windows computers.
In the code was also noted a sarcastic reference to ReversingLabs threat analyst Tomislav Maljic, who in the spring of 2020 identified more than 700 malicious RubyGems libraries designed to mine bitcoins on infected machines.
All the malware detected at that time were clones of various legitimate libraries. They used the typosquatting technique, that is, they had names deliberately similar to the originals, and even worked, but also contained additional malicious files.
According to Sonatype researchers, the ruby-bitcoin package contains only malicious code (the same as in the version.rb file from pretty_color).
Interestingly, the text version of the malicious script used in these attacks was discovered by experts on GitHub under an unrelated account called wannacry.vbs, although it definitely has no connection with WannaCry malware.
However, open-source software repositories are used by both public and private organizations to develop mission-critical applications. And even such seemingly insignificant attacks are of great concern given how rampant attacks on software supply chains have been in 2020. Ultimately, SolarWinds was hacked due to an open-source bug on GitHub.
