Malicious packages found in RubyGems repository again

Malicious packages in RubyGems

Sonatype experts have discovered the pretty_color and ruby-bitcoin malicious packages in the official RubyGems repository. The malware has already been removed from the platform.

The malware hidden in the mentioned packages targeted Windows machines and replaced the addresses of any cryptocurrency wallets in the clipboard with the attackers’ wallet address. In essence, the malware helped hackers intercept transactions and steal someone else’s cryptocurrency.

The researchers write that pretty_color contained legitimate files for colorize, a well-known and reliable open source component, making it difficult to detect the threat.

In fact, pretty_color is an identical copy of the colorize package and contains all of its code, including the complete README file.says the expert report.

The package also included a file named version.rb, which supposedly contained version metadata, but in fact contained obfuscated code designed to run a malicious script on Windows computers.

In the code was also noted a sarcastic reference to ReversingLabs threat analyst Tomislav Maljic, who in the spring of 2020 identified more than 700 malicious RubyGems libraries designed to mine bitcoins on infected machines.

All the malware detected at that time were clones of various legitimate libraries. They used the typosquatting technique, that is, they had names deliberately similar to the originals, and even worked, but also contained additional malicious files.

According to Sonatype researchers, the ruby-bitcoin package contains only malicious code (the same as in the version.rb file from pretty_color).

Interestingly, the text version of the malicious script used in these attacks was discovered by experts on GitHub under an unrelated account called wannacry.vbs, although it definitely has no connection with WannaCry malware.

Spoofing bitcoin wallet addresses on the clipboard seems more like a trivial mischief from the amateur attacker than a complex extortionate operation.Sonatype analysts say.

However, open-source software repositories are used by both public and private organizations to develop mission-critical applications. And even such seemingly insignificant attacks are of great concern given how rampant attacks on software supply chains have been in 2020. Ultimately, SolarWinds was hacked due to an open-source bug on GitHub.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *