Nexus Intelligence Insights: Protect Your Bitcoins from 700+ Malicious RubyGems with sonatype-2020-0196

Last week news broke about how 700 typosquatting libraries had made their way into the famous RubyGems repository. The complete list, first published by Reversing Labs, reveals how crafty attackers can take advantage of the open source software supply chain by relying on human typographical errors, to which not even the most sophisticated developers are immune.

Vulnerability Identifier: sonatype-2020-0196

Type of Vulnerability: CWE-506 / Malware

Affected components: multiple; IQ scan is recommended.

Vulnerable version ranges: multiple; IQ scan is recommended.

Although the list reveals names of some 725 packages now removed by RubyGems, the actual number of unique components affected could be much higher, given multiple versions associated with each gem, and their possible use as dependencies in others.

The malicious intent is of particular significance due to three factors:

• It relies on typos to trick users into installing malware which mimics names of real world packages (e.g. atlas-client imitating the legitimate atlas_client package)
• It installs persistent Bitcoin-leeching malware which frequently monitors clipboard for a Bitcoin address, replacing it with the attacker’s wallet address.
• It takes advantage of borderline steganography techniques, by disguising malicious code in quasi-image (PNG) files.

All of this means, a single slip of a keystroke by an unsuspecting developer lands themselves and anybody who uses their package (i.e. if the malicious RubyGem was bundled as a dependency) in a place where all cryptocurrency transactions now redirect funds to the attacker’s wallet address, unless the user is super diligent when copy-pasting.

Moreover, because the malicious code spun up by the components is saved within innocuous-looking image files (e.g. “aaa.png”), it would likely bypass the scrutiny of the human eye, and various static analysis tools. Only at a specific (Read more...)