Supply-chain attack hits RubyGems repository with 725 malicious packages
Bitcoin currency stealer was downloaded thousands of times. …
reader comments
18 with 15 posters participating
More than 725 malicious packages downloaded thousands of times were recently found populating RubyGems, the official channel for distributing programs and code libraries for the Ruby programming language.
The malicious packages were downloaded almost 100,000 times, although a significant percentage of those are likely the result of scripts that automatically crawl all 158,000 packages available in the repository, Tomislav Pericin, the cofounder and chief software architect of security firm ReversingLabs, told Ars. All of them originated from just two user accounts: “JimCarrey” and “PeterGibbons.”
The accounts, which ReversingLabs suspects may be the work of a single individual, used a variation of typosquatting—the technique of giving a malicious file or domain a name that’s similar to a commonly recognizable name—to give the impression they were legitimate. For instance, “atlas-client,” a booby-trapped package with 2,100 downloads, was a stand-in for the authentic “atlas_client” package. More than 700 of the packages were uploaded from February 16 to 25.
Once installed, the packages executed a script that attempted to intercept Bitcoin payments made on Windows devices. Tomislav Maljic, a ReversingLabs threat analyst, wrote in a post:
The script itself is rather simple. First, it creates a new VBScript Sle with the main malicious loop at the “%PROGRAMDATA%Microsoft EssentialsSoftware Essentials.vbs” path. As its persistence mechanism, it then creates a new autorun registry key “HCUSoftwareMicrosoftWindowsCurrentVersionRun Microsoft Software Essentials.” With this, the malware ensures that it is run every time the system is started or rebooted.
When the “Software Essentials.vbs” malicious script is executed, it starts an infinite loop where it captures the user’s clipboard data with the
Continue reading – Article source
Similar Posts:
