Two RubyGems Packages Found to Contain Bitcoin-Stealing Malware
Two RubyGems packages were found to be laced with Bitcoin-stealing malware, one of which contained code from a real package that was used to obfuscate the malware. The two gems contained malware that were set to run persistently on infected Windows machines and were designed to clipboard-hijack any Bitcoin or cryptocurrency wallet addresses it found. In practice, this means is that if a user were to copy-paste a Bitcoin recipient wallet address anywhere on their system, the malware would swap out the user’s intended address with the address of the attacker, thereby sending the Bitcoins to the attacker.
RubyGems, which is an open-source package repository and manager for the Ruby web programming language, has taken the two software packages offline once they were discovered to be malware. RubyGems provides a standard format for distributing Ruby programs and libraries in the service of building web applications. These programs and libraries are collected into software packages called “gems,” which can be used to extend or modify functionality in Ruby applications. The two gems in question were named “pretty_color” and “ruby_bitcoin.”
The first gem, pretty_color, is a complete copy of the open-source component called “colorize,” which is used for setting text colors, background colors and text effects for web apps. While being a complete copy of colorize, pretty_color also contained a rogue version.rb file that was responsible for the malicious activity. Once decoded, the malicious code carries out various tasks, the most important of which is creating another malicious VBScript. “%PROGRAMDATA%\Microsoft Essentials\Software Essentials.vbs” monitors the user’s clipboard every second for a Bitcoin address and replaces it with the attacker’s wallet address if detected.
The other malicious gem, called ruby-bitcoin, is much simpler and only contains the malicious version.rb cod. While only containing the malicious code, is a variation of “bitcoin-ruby,” which is a legitimate gem. “Bitcoin-ruby” is a Ruby library for interacting with the bitcoin protocol/network, with half a million downloads.
Both gems utilize typo squatting and brandjacking, which involves a developer incorrectly typing or searching for a known gem and instead downloading a different one by mistake.
Due to it’s open-source nature, anyone can upload a gem to the RubyGems repository. Even those with malicious intentions.
Sources: