Trove of RubyGems malware highlights software supply chain issues

Ruby developers beware: a would-be cryptocurrency thief is out to get at your digital wallet, and they’re using typosquatting code to do it.

Typosquatters use misspellings of popular names to misdirect victims into using the wrong thing. It’s been a problem for websites for years, but it’s becoming an increasing issue for software developers too. Rather than reinventing the wheel by writing their own code to handle common tasks, they write it once as a software package and upload it to repositories. These repositories contain thousands of packages for developers to download. The upside is that it accelerates software development. The downside? Developers don’t often known exactly what those packages are doing.

Security researchers at threat detection company Reversing Labs found typosquatters had uploaded a malicious package in RubyGems, which is a repository serving the Ruby programming language.

You can install a RubyGems package – known as a Gem – by typing gem install followed by the package’s name on the command line. Attackers take advantage of this by copying a legitimate package, inserting some malicious code, and then uploading it again with a similar name to target fat-fingered programmers. In this case, the author had engineered the package to steal victims’ cryptocurrency.

Reversing Labs is no stranger to malicious packages, although they’ve tended to be in the Python package repository PyPi and the NPM Node.js repository. It found a typosquatting package after analysing the entire PyPi repository in July 2019. It also found a password stealer in the NPM repository last year after a similar scan.

This time it honed its approach by finding the most popular Ruby gems and then monitoring the RubyGems repository file for new files that used misspellings of the legitimate packages, it flagged those for further analysis and dug into their code. It found over 700 packages containing a file with executable code using the same name: aaa.png. This was suspicious, because .png extensions indicate image files, not executable ones.

The most downloaded Gem in this group was atlas-client, which had been downloaded about a third as much as the legitimate atlas_client Gem.

The booby-trapped Gem includes a script that activates if it’s running on Windows. If so, the script renames the file aaa.png to a.exe and runs it.

The a.exemalware file monitors the Windows clipboard for text that looks like a cryptocurrency address, something that is very likely to appear in the clipboard via Ctrl-C just before the user performs an online cryptocurrency transaction.

The sniffed-out cryptocoin address is then replaced in the clipboard itself with one belonging to the attackers, so that if a user subsequently pastes the address into the “send the money here” field on a cryptocurrency transaction page, then the crooks will receive the payment instead.

The malware also adds an entry to the Windows registry to make sure it gets reloaded when Windows starts up, for what’s known as persistence, meaning that the malware survives a logout or a reboot.

Although we’ve seen cryptocurrency crimes carried out via the clipboard before, this attack is pretty niche, according to Reversing Labs. It only works against Ruby developers using Windows machines making bitcoin transactions. Perhaps that’s why the address used in the attack had no transactions at the time of writing.

The attacker is persistent, though. Judging by the use of just two user accounts in RubyGems and the common filename, they were probably responsible for most of the malicious gems, said Reversing Labs. It also noted that the file names had turned up in other attacks on RubyGems in the past.

The RubyGems security team has removed all the affected packages from its repository, but Ruby developers should check the list of malicious packages to ensure that they’re not running dodgy code.

These supply chain attacks have been a perennial problem for other repositories too. Another researcher also discovered a cryptocurrency-stealing package that used typosquatting in the Python PyPi repository in October 2018, and ten packages cropped up in 2017. Attackers have also targeted NPM repeatedly over the years, most recently in January.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.