New malicious RubyGem packages have been discovered that are being used to steal cryptocurrency from unsuspecting users. RubyGems is a package manager for the Ruby programming language that allows developers to download and integrate other developers’ code. As any developer can upload packages to the RubyGems repository, it allows criminals to upload malicious packages to the repository in hopes that another developer will use it in their code. This allows the attacker to infect various amounts of code and if a large project uses the malicious package, it could create a supply chain attack with a wide distribution. Open-source security firm Sonatype reported two malicious packages that install a clipboard hijacker. The malicious packages pretend to be a bitcoin library and a library for displaying strings with different color effects. The clipboard hijacker monitors the infected system for the Windows clipboard for cryptocurrency address, if one is detected, it replaces it with an address under the attacker’s control. Unless the user double-checks the wallet address, any transactions will be sent to the attack’s wallet. The names of the malicious packages are ‘pretty_color-0.8.1gem’ and ‘ruby-bitcoin-0.0.20.gem’ and the attacker’s wallet addresses are:
Bitcoin: bc1qgmem0e4mjejg4lpp03tzlmhfpj580wv5hhkf3p, Ethereum: 0xcB56f3793cA713813f6f4909D7ad2a6EEe41eF5e, Monero: 467FN8ns2MRYfLVEuyiMUKisvjz7zYaS9PkJVXVCMSwq37NeesHJpkfG44mxEFHu8Nd9VDtcVy4kM9iVD7so87CAH2iteLg
Analyst Notes
If the developer wishes to integrate third-party codes, these two packages should be avoided at all costs. The developer should research each package thoroughly before integrating any other codes. Anytime a cryptocurrency transaction takes place, the recipient’s address should be verified to make sure the funds are going to the proper place. Administrators should also block the above addresses so that they cannot be sent any funds.
Source Article: https://www.bleepingcomputer.com/news/security/malicious-rubygems-packages-used-in-cryptocurrency-supply-chain-attack/
