RubyGems Packages Laced with Bitcoin-Stealing Malware

rubygems malware bitcoin

Two malicious software building blocks that could be baked into web applications prey on unsuspecting users.

RubyGems, an open-source package repository and manager for the Ruby web programming language, has taken two of its software packages offline after they were found to be laced with malware.

RubyGems provides a standard format for distributing Ruby programs and libraries in the service of building web applications. These programs and libraries are collected into software packages called “gems,” which can be used to extend or modify functionality in Ruby applications.

Two of these gems available in its open-source software repository, “pretty_color” and  “ruby-bitcoin,” were discovered by researchers at Sonatype to be corrupted to steal Bitcoin from unsuspecting web-application users.

“The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user’s clipboard with the attacker’s,” according to Ax Sharma, researcher at Sonatype, writing in a Wednesday posting. “This means if a user [of a corrupted web app built using the gems]…[were] to copy-paste a Bitcoin recipient wallet address somewhere on their system, the address would be replaced with that of the attacker, who’d now receive the Bitcoins.”

The first gem contained legitimate code from a real package along with the malware, in order to evade detection by developers using it. The pretty_color gem contained the legitimate complete code and a fully descriptive README.file of a trusted open-source component called “colorize.” Colorize is used for setting text colors, background colors and text effects for web apps, and has been downloaded 55 million times.

Along with being an exact replica of the colorize package, pretty_color contains a rogue version.rb file responsible for the malicious functionality. It’s obfuscated code which, on Windows systems, generates and runs a malicious VBScript called “the_Score.vbs,” presumably referring to crook lingo for a heist.

“A casual observer may otherwise overlook [it] by mistaking it for version metadata,” Sharma explained.

Once decoded, the malicious code carries out various tasks according to the analyst, the most important of which is creating another malicious VBScript. “%PROGRAMDATA%\Microsoft Essentials\Software Essentials.vbs” monitors the user’s clipboard every second for a Bitcoin address and replaces it with the attacker’s wallet address if detected, Sharma said.

Thus, if a user copies an address to the clipboard, the script may be monitoring it at just the right second to instantaneously swap it out, with the user being none the wiser.

Also, Sharma said that to achieve persistence, the_Score.vbs also adds the path of the newly dropped Software Essentials.vbs to the appropriate Windows registry key, so the malware runs every time the system boots.

The other malicious gem, called ruby-bitcoin, is much simpler and only contains the malicious version.rb code mentioned above. While only containing the malicious code, is a variation of “bitcoin-ruby,” which is a legitimate gem, Sharma told Threatpost “Bitcoin-ruby” is a Ruby library for interacting with the bitcoin protocol/network, with half a million downloads.

“Both gems capitalized on typosquatting and brandjacking: a developer making human error and getting the wrong package than what they had intended to,” he noted. “You can see why attackers would love to deploy typosquatting and brandjacking attacks — they offer a higher chance of success due to a developer making an honest mistake.”

Unfortunately, anyone can upload a gem to the RubyGems repository, including threat actors.

“With any open-source system, if the honest users and the general public have access to it, so do the adversaries,” Sharma said.

The good news is that the gems, having been caught early on, didn’t score many downloads, according to Sonatype. For example, the pretty_color package that imitated a legitimate colorize package was published December 13th and yanked the very next day, after being downloaded five dozen times, according to RubyGems. Likewise, ruby-bitcoin scored under 100 downloads.

“With open-source software supply chain attacks though, we can never be certain of their actual impact, which might be much larger,” Sharma told Threatpost in an emailed interview. “We don’t know who downloaded these packages and if they were included by a developer in their application as a dependency. If that was the case, we can’t tell who further downloaded those applications shipped with pretty_color or ruby_bitcoin in them.”

The code was also found outside of the RubyGems repository.

“A variant of the plaintext code for the_Score.vbs generated by the obfuscated version.rb has also existed on GitHub, under an unrelated third party’s account,” Sharma said. “Although the identical file on GitHub is called ‘wannacry.vbs,’ Sonatype Security Research team did not find any hard evidence linking the code to the original WannaCry ransomware operators.”

Supply-Chain Attacks

This is an example of how attackers are starting to turn more and more to corrupting the software supply chains that developers rely on to build their applications, Sharma noted, flagging that Sonatype has seen a 430 percent increase in upstream software supply-chain attacks over the past year.

“While these gems stole cryptocurrency, as we have repeatedly seen with open-source malware striking GitHub, npm and RubyGems, attackers can exploit trust within the open-source community to deliver pretty much anything malicious, from sophisticated spying trojans like njRAT, to a whole new family of Discord info-stealing malware CursedGrabber.”

He added, “A concern I discuss is whether or not open-source ecosystems might lure adversaries like ransomware ops in. Luckily, that hasn’t happened yet, but that is not to say it can’t.”

Going forward, attacks on software supply chains are only expected to grow and be adopted by more advanced threat actors over time.

“Gitpaste-12 returned rather soon with 30 new exploits for vulnerabilities, a lot of which concern open-source components, as opposed to the previous 12 it had exploited,” said Sharma. “As more and more adversaries step in, and security companies catch up, the nature of these attacks is only expected to become more advanced, complex and harder to detect without at least some form of automation in place.”

Making malicious code changes that then make their way into open-source projects used by developers around the world is a hard-to-track tactic, he added. And it also means that propagation of malware is limited only by the number of applications that are built using corrupted components.

“It is virtually impossible to manually chase and keep track of such components,” he said.

To even begin knowing whether you have vulnerable code, developers and organizations need to keep a software bill of materials (SBOM) for all of their apps, so they can easily track and trace the location of every single component embedded within their production software applications, he told Threatpost.

“It’s the only way to immediately assess and remediate exposure every time new open-source vulnerabilities are publicly disclosed, whether they’re malicious or not,” he noted. “But to do this manually can be virtually impossible. What if malware lurks in a dependency of a dependency (a transitive dependency) used in your software application? What if the malicious code, as we saw in pretty_color, is hidden via techniques such as obfuscation and minification in places where you’d least expect it?”

At minimum, developers and organizations should have tooling in place to create SBOMs. “But, having automated solutions in place capable of performing deep binary analysis and the ability to spot counterfeit components can be built into your DevSecOps workflow as a more reliable prevention strategy,” Sharma added.

This story was updated at 3:15 p.m. ET to include interview responses from the researcher.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!


Suggested articles