This month, RubyGems removed 2 gems from its open source software repository that contained malicious code. These gems, tracked as sonatype-2020-1222 by us, are:
The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user’s clipboard with the attacker’s.
This means if a user who had mistakenly installed either of these gems was to copy-paste a Bitcoin recipient wallet address somewhere on their system, the address would be replaced with that of the attacker, who’d now receive the Bitcoins.
Gem contained legitimate code from real packages with malicious code snuck in
On digging deeper, we can provide a thorough analysis of what the malicious gems intended to do, and what stood out.
To complicate matters and make detection harder, pretty_color contains legitimate files that are taken from a trusted open source component, colorize. In fact, pretty_color is an identical replica of the benign colorize package and has all its code, including a fully descriptive README.
What does stand out though, is the presence of a mysterious version.rb file that a casual observer may otherwise overlook by mistaking it for version metadata.
Image: file structure of pretty_color gem which has the malicious “version.rb” file mixed with otherwise legitimate files of the colorize package
Snuck within version.rb is obfuscated code which, on Windows systems, generates and runs a malicious VBScript the_Score.vbs.
Notice, present on line 8 is a snarky (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/rubygems-laced-with-bitcoin-stealing-malware