RubyGems package contains malware that steals Bitcoin

RubyGems, an open source package repository and manager for the Ruby Web programming language, took two packages offline after discovering they were surrounded by malware.

RubyGems provides a standard format for distributing Ruby programs and libraries when building Web applications. These programs and libraries are collected into a package called Gems that can be used to extend or modify functionality in Ruby applications.

Sonatype researchers found that two of the gems available in its open source software repository, pretty_color and ruby-bitcoin, were compromised to steal bitcoins from unsuspecting Web application users.

“The malware contained in these gems can continue to run on infected Windows computers and replace all bitcoin or cryptocurrency wallet addresses it finds on the user’s clipboard with the attacker’s wallet,” Sonatype researcher Ax Sharma wrote in a post Wednesday. “This means that if the user (using a damaged Web application developed using gemstones) Copy and paste the Bitcoin recipient wallet address to a location in the system, which will be replaced by the attacker’s address, which will now receive bitcoins. “

The first gem contains legitimate code from real packages as well as malware to detection by developers who use it. pretty_color gem contains the full descriptive README.file of the legitimate full code and the trusted open source component “colorize”. Colorize is used to set the text color, background color, and text effects of Web applications and has been downloaded 55 million times.

In addition to being an exact copy of the colorize package, pretty_color also contain rogue version.rb files responsible for malicious functionality. It’s confusing code that generates and runs a malicious VBScript called “the_Score.vbs” on Windows systems, presumably referring to scammers.

“Occasional observers may mistake it for version metadata and ignore it,” Sharma explains.

Once decoded, malicious code performs a variety of tasks based on the analyst, the most important of which is to create another malicious VBScript. Sharma said that “%PROGRAMDATA%-Microsoft Essentials-Software Essentials.vbs” monitors a Bitcoin address in the user’s clipboard per second and replaces it with the attacker’s wallet address.

Therefore, if the user copies the address to the clipboard, the script may monitor it just in due course to swap it out immediately, which is unwise for the user.

In addition, Sharma says that for persistence, the_Score.vbs adds the newly deleted Software Essentials.vbs path to the appropriate Windows registry key, so the malware runs every time the system boots.

Another malicious gem named ruby-bitcoin is simpler and contains only the malicious version.rb code mentioned above. Sharma told Tharatpost that Bitcoin-ruby, which contains only malicious code, is a variant of a legal gem, and that Bitcoin-ruby is a Ruby library used to interact with bitcoin protocols/networks, with 500,000 downloads.

“Both gems take advantage of domain name grabs and brand hijacking: developers make human errors and get the wrong packaging,” he says. “You’ll see why like to do domain name grabs and brand hijacking attacks – because developers make honest mistakes, they offer a higher chance of success.”

Unfortunately, anyone can upload gems, including threat participants, to the RubyGems repository.

“For any open source system, if honest users and the general public can use it, then the opponent can use it, ” says Sharma. “

The good news is that the gems, which have long been discovered, haven’t been downloaded much, according to Sonatype. For example, imitating a legitimate colored package pretty_color the package was released on December 13 and mammoth according to Ruby Gems the next day, downloading five rounds later. Similarly, Ruby Bitcoin downloads are less than 100.

“With open source software supply chain attacks, we can never be sure of their actual impact, which could be even greater,” Sharma told Thereatpost in an emailed interview. “We don’t know who downloaded the packages or whether the developers included them as dependencies in the application. If that’s the case, we can’t be sure who downloaded the apps pretty_color or ruby_bitcoin in them. “

The code is also found outside the RubyGems repository.

“Variants of the_Score.vbs plain text generated by confusing version.rb also exist on GitHub, using irrelevant third-party accounts,” Sharma said. “Although the same file on GitHub is called ‘wannacry.vbs,’ the Sonatype Security Research team found no conclusive evidence linking the code to the original WannaCry ransomware operator.”

Supply chain attacks
Sharma points to this as an example of how are increasingly disrupting the software supply chain that developers use to build their applications, and marks a 430 percent increase in the number of upstream software supply chain attacks seen by Sonatype compared to 430 percent. the past year.

“While these gems steal cryptocurrencies, as we have repeatedly seen open source malware attack GitHub, npm, and RubyGems, can exploit trust within the open source community to provide virtually any malware, from sophisticated spy Trojans such as njRAT to the new Discord information theft malware family CursedBbGraer.”

He added: “One of the questions I’m talking about is whether the open source ecosystem will attract rivals like ransomware ops.” Fortunately, that hasn’t happened yet, but that’s not to say no. “

Looking ahead, attacks on software supply chains will only grow over time and will be adopted by more advanced threat actors.

“Gitpaste-12 quickly returned with 30 new exploits, many of which involved open source components, rather than the 12 previously exploited vulnerabilities,” Sharma said. “As more and more adversary intervenes, security companies are catching up, and the nature of these attacks is expected to become more advanced, complex and difficult to detect only in the absence of some form of automation.”

He added that it is a difficult-to-track strategy to make malicious code changes and then enter open source projects used by developers around the world. This also means that the spread of malware is limited only by the number of applications built with corrupted components.

“It’s almost impossible to manually track and track such components,” he said. “

To even begin to understand whether you have vulnerable code, developers and organizations need to keep a software bill of materials (SBOM) for all their applications so that they can easily track and track the location of each component embedded in their production software applications, he told Thereatpost.

“This is the only way to assess and remedie risks whenever new open source vulnerabilities are publicly disclosed, whether or not they are malicious,” he said. “But it’s almost impossible to do this manually. What if malware lurks in dependencies (pass-through dependencies) used in your software application? What if pretty_color, as we see in the code, hidden in the last place you want to see through techniques such as confusion and shrinking? “

At a minimum, developers and organizations should have the appropriate tools to create SBOMs. “However, deploying automated solutions into your DevsecOps workflow to perform deeper binary analysis and discover counterfeit components is a more reliable prevention strategy,” Sharma added.