Two Ruby gems that were found to pack malware capable of running persistently on infected machines were removed recently from the RubyGems hosting service.
The two gems, pretty_color and ruby-bitcoin, contained malware that was targeting Windows machines and which was meant to replace any cryptocurrency wallet address in the clipboard with an attacker-supplied one.
By replacing the crypto-wallet addresses, the malware helps the attackers hijack transactions and steal the victim’s funds.
While analyzing the two gems, software development and security firm Sonatype discovered that pretty_color contained legitimate files from colorize, a trusted open source component, which made detection more difficult.
“In fact, pretty_color is an identical replica of the benign colorize package and has all its code, including a fully descriptive README,” Sonatype says.
The gem included a file named version.rb that poses as version metadata, but which contains obfuscated code meant to run a malicious script on Windows computers.
The code also included a reference to ReversingLabs threat analyst Tomislav Maljic, who previously identified more than 700 typosquatting RubyGems designed to mine for Bitcoin on infected machines.
The ruby-bitcoin gem, Sonatype’s security researchers explain, only includes the malicious code present in the version.rb file from pretty_color.
A plain-text variant of the malicious script used in these gems was found on GitHub under an unrelated account, suggesting a possible connection to WannaCry. However, there’s no hard evidence linking the code to the WannaCry operation.
“Of all activities a ransomware group may conduct on a compromised system, replacing Bitcoin wallet address on the clipboard feels more akin to a trivial mischief by an amateur threat actor than to a sophisticated ransomware operation,” Sonatype notes.