Skip to main content

Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository

Rubygems typosquatting malware


As developers increasingly embrace off-the-shelf software components into their apps and services, threat actors are abusing open-source repositories such as RubyGems to distribute malicious packages, intended to compromise their computers or backdoor software projects they work on.

In the latest research shared with The Hacker News, cybersecurity experts at ReversingLabs revealed over 700 malicious gems — packages written in Ruby programming language — that supply chain attackers were caught recently distributing through the RubyGems repository.

The malicious campaign leveraged the typosquatting technique where attackers uploaded intentionally misspelled legitimate packages in hopes that unwitting developers will mistype the name and unintentionally install the malicious library instead.

ReversingLabs said the typosquatted packages in question were uploaded to RubyGems between February 16 and February 25, and that most of them have been designed to secretly steal funds by redirecting cryptocurrency transactions to a wallet address under the attacker's control.

In other words, this particular supply chain attack targeted Ruby developers with Windows systems who also happened to use the machines to make Bitcoin transactions.

After the findings were privately disclosed to RubyGems maintainers, the malicious gems and associated attackers' accounts were removed, almost two days later on February 27.

"Being closely integrated with the programming languages, the repositories make it easy to consume and manage third-party components," the cybersecurity firm said.

"Consequently, including another project dependency has become as easy as clicking a button or running a simple command in the developer environment. But just clicking a button or running a simple command can sometimes be a dangerous thing, as threat actors also share an interest in this convenience by compromising developer accounts or their build environments, and by typosquatting package names," it added.

Typosquatting Ruby Gems to Steal Cryptocurrency


Typosquatting is a form of brandjacking attack that typically relies on users putting themselves in harm's way by mistyping a web address or a library name that impersonates popular packages in software registries.

RubyGems is a popular package manager that makes it easy for developers to distribute, manage, and install Ruby programs and libraries.

rubygem typosquatting malware

Using a list of popular gems as a baseline for their investigation, researchers monitored new gems that were published in the repository and flagged any such library which had a similar name from the baseline list.

What they found were several packages — such as "atlas-client" posing as the "atlas_client" gem — containing portable executables (PEs) that masqueraded as a seemingly harmless image file ("aaa.png").

During installation, the image file is renamed from 'aaa.png' to 'a.exe' and executed, which contains a VBScript encoded in Base64 that helps the malware gain persistence on the infected system and run every time it is started or rebooted.

Besides this, not only does the VBScript capture the victim's clipboard data continuously but if it finds that the clipboard content matches the format of a cryptocurrency wallet address, it replaces the address with an attacker-controlled alternative ("1JkU5XdNLji4Ugbb8agEWL1ko5US42nNmc").

"With this, the threat actor is trying to redirect all potential cryptocurrency transactions to their wallet address," ReversingLabs researchers said.

rubygem typosquatting malware

Although no transactions were made to this wallet, all the malicious gems were traced to two account holders, "JimCarrey" and "PeterGibbons," with "atlas-client" registering 2,100 downloads, approximately 30% of the total downloads racked up by the legitimate "atlas_client" gem.

Typosquatting in Software Packages on the Rise


This is not the first time typosquatting attacks of this kind have been uncovered.

Popular repository platforms such as Python Package Index (PyPi) and GitHub-owned Node.js package manager npm have emerged as effective attack vectors to distribute malware.

Given the lack of scrutiny involved during the package submission, review, and approval, it's been easy for malware authors to publish trojanized libraries with names very close to existing packages.

It's highly recommended that developers who unintentionally downloaded the libraries into their projects should check to see if they've used the correct package names and did not accidentally use the typosquatted versions.

Source : The Hacker News

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...