Two Ruby gems that were found to pack malware capable of running persistently on infected machines were removed recently from the RubyGems hosting service.
The two gems, pretty_color and ruby-bitcoin, contained malware that was targeting Windows machines and which was meant to replace any cryptocurrency wallet address in the clipboard with an attacker-supplied one.
By replacing the crypto-wallet addresses, the malware helps the attackers hijack transactions and steal the victim’s funds.
While analyzing the two gems, software development and security firm Sonatype discovered that pretty_color contained legitimate files from colorize, a trusted open source component, which made detection more difficult.
“In fact, pretty_color is an identical replica of the benign colorize package and has all its code, including a fully descriptive README,” Sonatype says.
The gem included a file named version.rb that poses as version metadata, but which contains obfuscated code meant to run a malicious script on Windows computers.
The code also included a reference to ReversingLabs threat analyst Tomislav Maljic, who previously identified more than 700 typosquatting RubyGems designed to mine for Bitcoin on infected machines.
The ruby-bitcoin gem, Sonatype’s security researchers explain, only includes the malicious code present in the version.rb file from pretty_color.
A plain-text variant of the malicious script used in these gems was found on GitHub under an unrelated account, suggesting a possible connection to WannaCry. However, there’s no hard evidence linking the code to the WannaCry operation.
“Of all activities a ransomware group may conduct on a compromised system, replacing Bitcoin wallet address on the clipboard feels more akin to a trivial mischief by an amateur threat actor than to a sophisticated ransomware operation,” Sonatype notes.
Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix
Related: Backdoor Found in ‘rest-client’ Ruby Gem
Related: Malicious Code Planted in ‘strong_password’ Ruby Gem
More from Ionut Arghire
- Google Leads $16 Million Investment in Dope.security
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- CISA, NSA Issue Guidance for IAM Administrators
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
