Hackers are exploiting the open-source repositories such as RubyGems to spread malicious packages, intended to compromise the computers or backdoor software projects which the developers work on.
The cyber security experts at ReversingLabs revealed about more than 700 malicious gems which were being distributed through the RubyGems repository by the supply chain attackers.
The malicious campaign used the typosquatting technique in which the attackers uploaded intentionally misspelled legitimate packages thinking that an unwitting developer will mistype the name and unintentionally install the malicious library instead.
The typosquatted packages in question were uploaded to RubyGems between February 16 and February 25, and majority of them were designed to secretly steal funds by redirecting cryptocurrency transactions to a wallet address given by the attackers.
This kind of supply chain attack targeted Ruby developers with Windows systems who also used the machines to make Bitcoin transactions.
The issue was privately reported to RubyGems maintainers and the malicious gems and related attackers’ accounts were removed.
According to the cybersecurity firm, being closely integrated with the programming languages, the repositories make it easy to consume and manage third-party components.
So, including another project dependency is as easy as clicking a button. But just clicking a button or running a simple command can sometimes prove to be dangerous as the attackers might also be able to compromise developer accounts or their build environments, and by typosquatting package names.
Typosquatting Ruby Gems to Steal Cryptocurrency
Typosquatting is a type of brandjacking attack that depends on users who mistype a web address or a library name that impersonates popular packages in software registries.
RubyGems is a popular package manager which is easy for developers to distribute, manage, and install Ruby programs and libraries.
The researchers checked several new gems that were published in the repository and flagged any such library which had a similar name from the baseline list.
They observed many packages — such as “atlas-client” posing as the “atlas_client” gem — containing portable executables (PEs) that impersonated as a harmless image file (“aaa.png”).
During installation, the image file is renamed from ‘aaa.png’ to ‘a.exe’ and executed, which contains a VBScript encoded in Base64 that makes the malware persistence on the targeted system and run every time it is started or rebooted.
The VBScript capture the victim’s clipboard data continuously and also finds that the clipboard content matches the format of a cryptocurrency wallet address and then it replaces the address with an attacker-controlled alternative. So, the attacker redirects all cryptocurrency transactions to their wallet address.
The malicious gems were traced to two account holders “JimCarrey” and “PeterGibbons even though no transactions were made to this wallet and “atlas-client” registered 2,100 downloads.
Typosquatting attacks of this type were also seen earlier. Repository platforms such as Python Package Index (PyPi) and GitHub-owned Node.js package manager npm have emerged as effective attack vectors to distribute malware.
It is easy for malware developers to publish trojanized libraries with names similar to existing packages. So, all developers who unintentionally downloaded the libraries into their projects are recommended to check whether they have used the correct package names and did not accidentally use the typosquatted gems.