RubyGems typosquatting attack in Ruby Libraries

Posted by Author Pallavi Pangavhane on Posted on

Overview

Recent investigation on Ruby packages discovered that over 760 malicious packages uploaded on the official RubyGems repository targeting Windows users. 

RubyGems is a package management framework for Ruby programming language. The repository contains  thousands of packages also called gems. Each ruby gem consists of Code, Documentation and Gem specification.

Gems are formed of a structure similar to the following:

Image Source: ReversingLabs

Attackers used a typosquatting technique to spread malicious code. In typosquatting, malicious packages were named intentionally to create confusion with similar and popular existing ruby packages (e.g. rspec-mokcs instead of rspec-mocks). The intent of the attack was to make BitCoin transactions.

Malware workflow

Image Source: ReversingLabs

The extconf.rb configures a Makefile which will build your extension. It also allows you to execute arbitrary code, which can potentially be dangerous. extconf.rb contains code to check the target platform. During the installation the inserted malicious file “aaa.png” renamed itself to “a.exe” .

Image Source: ReversingLabs

The ruby script “aaa.rb” extracted from “a.exe” contains embedded VBScript with Obfuscated Base64 Data. 


Image Source: ReversingLabs

After decoding it gives the following output.

Image Source: ReversingLabs

Once the script is executed, it saves itself as “Software Essentials.vbs” in the %PROGRAMDATA% folder. Malware achieves persistence by adding new key Microsoft Software Essentials into the Windows registry “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”.  

One of the goals of attackers is to steal cryptocurrency. Thus, after every command execution, it checks the content of the clipboard using the following code:

It then checks to see if content matches the cryptocurrency wallet address.  In case the address is different from the hardcoded one, it sets the clipboard data to its own address. Changing the clipboard data is done by running the following command:

With this, attacker is attempting to redirect all cryptocurrency transactions to their wallet address.

Affected system and SHA256:

The victim of this supply chain attack is a Ruby developer whose environment of choice is a Windows system. Here is the list of Affected packages 

Other IOCs SHA256

aaa.png 9d1fcea3079826ca48641ddbd360698c877ec2d09d973c5602676dae26be7c3f

aaa.rb: 298e35a96f4cc79ed3fd5e18337d22fd272798f60360fe1e3ca3346ef18e69f7

oh.vbs: b303e55ddd6985f8550af85a602cf745adebc7f3db60a7f52ea53fd0b675df47

Bitcoin address 

1JkU5XdNLji4Ugbb8agEWL1ko5US42nNmc

Mitigation:

The RubyGems security team has removed all malicious packages from the reported users account.

 

Leave a Reply

Your email address will not be published. Required fields are marked *