Over 700 malicious packages with names similar to legitimate ones have been uploaded to RubyGems, a popular repository of third-party components for the Ruby programming language. The upload took place over the course of a week in February, researchers report. The rogue packages contained a malicious script that, when executed on Windows computers, hijacked cryptocurrency transactions by replacing the recipient’s wallet address with one controlled by the attacker.
Supply-chain attacks through third-party components and libraries have impacted the users of several open-source component repositories in recent years, including NPM and PyPi, which are used by JavaScript and Python developers, respectively. One of the techniques, which was also employed in this latest attack against RubyGems, is typosquatting: The publishing of packages with names similar to existing ones but with common typos developers are likely to make when typing package names manually — for example rspec-mokcs instead of rspec-mocks.
Software repositories have few protections
“There are very few protections out there for software developers to make sure that packages they install from these repositories are malware free,” Tomislav Pericin, co-founder and chief software architect at threat Intelligence firm ReversingLabs, tells CSO. “Software security vendors that specialize in malware detection typically do not integrate with development environments. Currently the malware detection task is outsourced to endpoint protection solutions which in turn focus primarily on different kinds of malware that targets the end user. There is a huge gap in the market, which is being exploited by malware authors.”
Even though in this case the attacker was interested in stealing cryptocurrency, the clipboard hijacking script they used could have easily been designed to steal any login credentials that victims copied and pasted on their computers. Since these attacks target developers who have access to various internal development and software building environments, the impact can be serious and could lead to further supply-chain attacks against the users of the software they produce.
How the RubyGems attack worked
Modern applications have only a small percentage of original code. Most of their codebases come from reusable components developed by others and published on repositories like NPM, PyPi, RubyGems and others. While this simplifies and speeds software development, it introduces security issues related to code integrity and safety that are not yet fully addressed by the industry.
Components written in the Ruby programming language are called gems and are essentially TAR archives with a particular directory structure. They include a manifest file, binaries, libraries and tests. One interesting feature is that they can include extensions in the form of executable code, and it’s this functionality that the attacker chose to abuse in this case.
The malicious gems identified by ReversingLabs were uploaded from two accounts and contained an extension called aaa.png under the directory path /ext/trellislike/unflaming/waffling/. While the file masqueraded as a PNG image, this was just a diversion, because it was actually a Windows portable executable (PE). The attack targeted Ruby developers who use Windows as their development environment.
The Makefile included in the package instructed the Ruby installer to rename aaa.png to aaa.exe during installation and to execute it, an action that happened without user interaction. Aaa.exe was actually a Ruby program created with Ruby2Exe that deployed an obfuscated Visual Basic Script (VBS) — VBScript is a scripting language supported natively on Windows systems.
The VBS file was saved as Software Essentials.vbs in the Program Data directory and was set up to automatically start after every system reboot. The script was designed to run in a loop monitoring the computer’s clipboard for string patterns that match a bitcoin wallet address and to replace such strings on the fly with a wallet address belonging to the attacker.
This means that when the victim attempted to make a bitcoin transaction and copied the recipient’s wallet address — for example, from a website — the pasted address was always the attacker’s. Clipboard hijacking has been used before against cryptocurrency users, but in this case it wasn’t very successful, the rogue wallet address receiving no transactions.
That’s not because the infection method itself wasn’t effective. The attack was limited because it happened to coincide with ReversingLabs running an analysis of RubyGems and the attacker’s target profile — Ruby developers using Windows systems and performing bitcoin transactions.
Attack evaded anti-typosquatting measures
One of the rogue gems called atlas-client had over 2,100 downloads, which is a third of the total download count of the legitimate gem it typosquatted called atlas_client (with underscore). All the 700 rogue packages had names where the attacker copied legitimate package names but replaced hyphens with underscores or underscores with hyphens.
This might explain why the packages were not blocked by RubyGems, which does use an anti-typosquatting mechanism based on Levenshtein distance rules that was added in response to past incidents. The rogue gems discovered by ReversingLabs were downloaded more than 95,000 times until being taken down.
“They might have detection capabilities in place today, but it appears that the attacker has found patterns that the algorithm misses,” Pericin tells CSO. “This is the third time we’ve detected this actor in the RubyGems repository. We look at the software supply chain as a huge surface that needs to be covered with security controls. These incidents only confirm that the developers have become targets, or vessels, that can carry out attacks on unsuspecting users.”
Copyright © 2020 IDG Communications, Inc.
