RubyGems Packages Laced with Bitcoin-Stealing Malware

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,195
RubyGems, an open-source package repository and manager for the Ruby web programming language, has taken two of its software packages offline after they were found to be laced with malware.
RubyGems provides a standard format for distributing Ruby programs and libraries in the service of building web applications. These programs and libraries are collected into software packages called “gems,” which can be used to extend or modify functionality in Ruby applications.

Two of these gems available in its open-source software repository, “pretty_color” and “ruby-bitcoin,” were discovered by researchers at Sonatype to be corrupted to steal Bitcoin from unsuspecting web-application users.
“The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user’s clipboard with the attacker’s,” according to Ax Sharma, researcher at Sonatype, writing in a Wednesday posting. “This means if a user [of a corrupted web app built using the gems]…[were] to copy-paste a Bitcoin recipient wallet address somewhere on their system, the address would be replaced with that of the attacker, who’d now receive the Bitcoins.”
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Unfortunately, anyone can upload a gem to the RubyGems repository, including threat actors. “With any open-source system, if the honest users and the general public have access to it, so do the adversaries,”
“With open-source software supply chain attacks though, we can never be certain of their actual impact, which might be much larger,” Sharma told Threatpost in an emailed interview. “We don’t know who downloaded these packages and if they were included by a developer in their application as a dependency. If that was the case, we can’t tell who further downloaded those applications shipped with pretty_color or ruby_bitcoin in them.”

The code was also found outside of the RubyGems repository.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top