Malicious RubyGems packages used in cryptocurrency supply chain attacks

RubyGems Package

New malicious RubyGems software packages have been discovered that are being used in supply chain attacks to steal cryptocurrencies from unsuspecting users.

RubyGems is the package manager for the Ruby programming language, allowing developers to download code developed by others and integrate it into their programs.

Because anyone can upload Gem to the RubyGems repository, threat actors can upload malware packages to the repository in the hope that other developers will integrate it into their programs.

If a large project integrates malicious packages, it creates supply chain attacks and is widely distributed among many users.

Malicious gems steal the user’s cryptocurrency
Today, open source security firm Sonatype reports two malicious Ruby packages with clipboard hijackers installed. These packages masquerade as a library and a library for displaying strings with different color effects.

Clipboard hijackers monitor cryptocurrency addresses in the clipboard and, if detected, replace them with attacker-controlled addresses. Unless the user checks the address again after pasting it, the coin sent will go to the attacker’s cryptocurrency address instead of the intended recipient.

The malware packages are named “pretty_color-0.8.1.gem” and “ruby--0.0.20.gem” respectively and contain a malicious Ruby script that creates a VBS script that is used as a clipboard hijacker.

As shown below, ruby--0.0.20.gem contains an extconf.rb script that contains a confusing base64 encoded string.

The Ruby script contains a comment that contains a cry for Tomaslav Maljic of Reversing Labs, who previously discovered 760 malicious Ruby packages that also perform clipboard hijacking.

Base64 encoded string is a VBS file that is executed to create another malicious VBS file and configure it to start automatically when a user logs on to Windows. This VBS script is a clipboard hijacker that is stored in C:ProgramData, Microsoft Essentials, And Essentials.vbs to simulate the old Microsoft Security Essentials security software.

The clipboard hijack script monitors the clipboard every second and checks if it contains a Bitcoin address, an Ethereum address, or an original Monero address.

If the script detects a monitored cryptocurrency address in the clipboard, it replaces it with another cryptocurrency address under the control of the attacker.

The list of addresses used by the attacker is:

Bitcoin: bc1qgmem0e4mjejg4lpp03tzlmhfpj580wv5hhkf3p
Ethereum: 0xcB56f3793cA713813f6f4909D7ad2a6EEe41eF5e
Monero: 467FN8ns2MRYfLVEuyiMUKisvjz7zYaS9PkJVXVCMSwq37NeesHJpkfG44mxEFHu8Nd9VDtcVy4kM9iVD7so87CAH2iteLg。
The ruby-bitcoin-0.0.20.gem package was added to RubyGems on December 7 and has 81 downloads. pretty_color-0.8.1.gem package was added on December 13 and downloaded 61 times. The two packages were deleted by Ruby Gems the day after they were added to the repository.

Currently, no cryptocurrency address receives any funds.

Supply chain attacks are becoming more common because an intrusion or inclusion in a project affects many users.

In the past two months, malicious NPM projects have been discovered that install njRAT remote access Trojans or steal Discord accounts. This week, SolarWinds, a network management company, suffered a massive supply chain attack that affected nearly 18,000 customers, including U.S. government agencies.

You can see a demo of the old clipboard hijacker in the video below and how it replaces the Bitcoin address.