2 New RubyGems laced with cryptocurrency stealing malware taken down

This month, RubyGems removed 2 gems from its open source software repository that contained malicious code. These gems, tracked as sonatype-2020-1222 by us, are:

• pretty_color
• ruby-bitcoin

The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user’s clipboard with the attacker’s.

This means if a user who had mistakenly installed either of these gems was to copy-paste a Bitcoin recipient wallet address somewhere on their system, the address would be replaced with that of the attacker, who’d now receive the Bitcoins.

This news follows shortly after Sonatype’s discovery of many typosquatting and brandjacking open source malware, such as discord.dll, twilio-npm, electorn, and others.

Gem contained legitimate code from real packages with malicious code snuck in

Although the malicious gems were removed from RubyGems, Sonatype’s archives within our next-generation data services, Nexus Intelligence, had retained copies of these gems for analysis.

On digging deeper, we can provide a thorough analysis of what the malicious gems intended to do, and what stood out. 

To complicate matters and make detection harder, pretty_color contains legitimate files that are taken from a trusted open source component, colorize. In fact, pretty_color is an identical replica of the benign colorize package and has all its code, including a fully descriptive README.

What does stand out though, is the presence of a mysterious version.rb file that a casual observer may otherwise overlook by mistaking it for version metadata.

Image: file structure of pretty_color gem which has the malicious “version.rb” file mixed with otherwise legitimate files of the colorize package

Snuck within version.rb is obfuscated code which, on Windows systems, generates and runs a malicious VBScript the_Score.vbs.

Notice, present on line 8 is a snarky (Read more...)