Bitcoin Stealers Hide in 700+ Ruby Developer Libraries

About 760 malicious libraries, bent on stealing Bitcoin, have been identified so far in the open-source Ruby programming language code base.

According to Tomislav Maljic, threat analyst at ReversingLabs, cybercriminals have been usingsimple typosquatting to carry out their plan – which is the process of changing a character or two in a filename or URL in order to fool people into thinking it’s legitimate. For example, a legitimate file may be called “thisisafile.exe,” while a malicious impersonator may call itself “this1safile.exe.” Unobservant users could thus download the malicious file by mistake.

Using this technique, bad actors uploaded typosquatted malicious libraries to a package manager called RubyGems , which contains open-source components – called “gems” – that can be used as basic application building blocks by software developers. The RubyGems repository contains around 158,000 gems with nearly 49 billion total downloads, according to its website.

If developers accidentally downloaded the rogue files instead of the legitimate gems they were looking for, the software packages they built using the libraries would automatically harbor the Bitcoin-stealer, endangering all users of that software.

“The perfect candidate to succumb to this type of ‘spray-and-pray’ supply-chain attack is a Ruby developer whose environment of choice is a Windows system that’s also periodically being used to make Bitcoin transactions,” wrote Maljic, in a recent posting .

After crafting a list of the most popular gems to use as a baseline, the security firm monitored for new RubyGems additions that had similar names to any of the baseline list gems. In the first week of monitoring alone, starting Feb. 16, the ReversingLabs system flagged more than 400 gems for further analysis.

“By looking at the RubyGems repository, we discovered that all those gems originated from two user accounts – ‘JimCarrey’ and ‘PeterGibbons’ – with a fairly high number of total downloads,” explained the researcher. “It seemed that we caught them red-handed, as the account of ‘PeterGibbons’ was actively adding new typosquatted gems at the time of our analysis.”

One typosquatted gem called “atlas-client” had 2,100 downloads, which is close to 30 percent of the total downloads that the legitimate gem, “atlas_client,” had at the time of reporting.

Bitcoin-Stealers Inside the Gems

Upon further inspection of the suspicious files, the research team found there to be a high number of portable executable (PE) files present, all carrying the file name “aaa.png.” These PE files, masquerading as image files, were also located on the same path in every analyzed suspicious gem: “/ext/trellislike/unflaming/waffling/”.

Meanwhile, all RubyGems files – legitimate or not – have a “Gemspec” file that contains basic metadata, such as the author, version and description, along with any additional information about extensions used within the library.

“Extensions are used to wrap separate libraries written in C with a Ruby wrapper. By convention, if extensions are used, everything related to them is placed into the ext directory along with the extconf.rb file,” explained Maljic. “The extconf.rb file configures a Makefile that builds the extension during the gem installation. However, extensions can also be utilized for malicious purposes, allowing malware to execute without any user interaction.”

In the case of the suspicious files, the team found that the extconf.rb script was located on the same path as the “aaa.png” file, and that it was being used to check the target platform.

“If it runs on a Windows system, it will rename the ‘aaa.png’ file to ‘a.exe’ and execute it,” said Maljic.

The extracted Ruby script contains Base64-encoded VBScript that is decoded and saved to the “oh.vbs” file. This in turn creates a new VBScript file located on the “Software Essentials.vbs” path. It also creates a new autorun registry key, “Run Microsoft Software Essentials,” that ensures that the malware will run every time the system is started or rebooted.

When the “Software Essentials.vbs” malicious script is executed, it captures the user’s clipboard data.

“The script then checks if the clipboard data matches the format of a cryptocurrency wallet address,” Maljic explained. “If it does, it replaces the address with an attacker-controlled one, in a hidden window. With this, the threat actor is trying to redirect all potential cryptocurrency transactions to their wallet address.”

Ongoing Attacks

While Maljic contacted the RubyGems security team on February 25, and the malicious packages were removed two days later, he pointed out that these kinds of attacks seem to be ongoing.

“We believe that the same threat actor is responsible for at least two previous malicious campaigns against the RubyGems repository,” he explained. “The same file path /ext/trellislike/unflaming/waffling/ was used in all the attacks. Likewise, the malicious intent was related to cryptomining in all cases.”

ReversingLabs researchers also in the past have discovered malicious packages within the PyPI and NPM repositories.

“It’s little surprise to hear that package repositories are being increasingly targeted,” said Maljic. “The software supply-chain attack is becoming increasingly popular [for cybercriminals]. These attacks threaten organizations indirectly by targeting the third-party vendors that provide them with software or services. Since such vendors are typically considered trusted publishers, organizations tend to spend less time verifying that the packages they are consuming are indeed malware-free.”

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET , join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis . Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here  for this sponsored webinar.