760+ malicious packages found typosquatting on RubyGems

Researchers have discovered over 760 malicious Ruby packages (aka “gems”) typosquatting on RubyGems, the Ruby community’s gem repository / hosting service.

The discovery

ReversingLabs analysts wanted to see how widespread the practice of package typosquatting is within RubyGems.

The practice refers to the intentional use of package names very similar to those of popular packages (e.g., atlas-client instead of atlas_client), with the ostensible intention of tricking users into executing them and, therefore, unknowingly running malicious code.

“We crafted a list of the most popular gems to use as a baseline. On a weekly basis, we collected gems that were newly pushed to the RubyGems repository. If we detected a new gem with a similar name to any of the baseline list gems, we flagged it as interesting for analysis,” threat analyst Tomislav Maljić explained.

After analyzing them, they found that all contained an executable file with the same filename and the PNG extension, which they assume was used to masquerade the executable as an image file. The file was also located on the same path in every gem.

The packages also contained a gemspec file – a type of file that contains basic metadata about the gem but can also include information about extensions – which runs an extension that checks the target platform and if it’s Windows, it renames the PNG file into an EXE file and executes it.

A Ruby script is then run that creates an additional script, which in its turn:

• Sreates an autorun registry key to assure persistence
• Captures the user’s clipboard data in an infinite loop
• Checks whether the data matches the format of a cryptocurrency wallet address and, if it does, replaces it with the address with an attacker-controlled one.

Its goal is to redirect all potential cryptocurrency transactions to the attacker’s wallet.

Repeated attacks

All the malicious gems were published by two accounts, which the researchers believe were created by the same threat actor. In fact, they believe that the same threat actor mounted at least two previous malicious campaigns against the RubyGems repository.

“The same file path ‘/ext/trellislike/unflaming/waffling/’ was used in all the attacks. Likewise, the malicious intent was related to cryptomining in all cases,” Maljić explained their reasoning.

ReversingLabs provided a list of the affected packages, which have since been removed from RubyGems. The two accounts created by the threat actor have been suspended.

This is not the first time threat actors tried to plant malicious packages in software repositories for popular programming languages. ReversingLabs previously flagged a batch of malicious Python libraries hosted on Python Package Index (PyPI), and developer Jussi Koljonen found that several older versions of popular Ruby packages on RubyGems were trojanized to steal information and mine cryptocurrency.