News and Notes from the Makers of Nexus | Sonatype Blog

Two new RubyGems laced with cryptocurrency-stealing malware taken down

Written by Ax Sharma | December 16, 2020

This month, RubyGems removed two gems from its open source software repository that contained malicious code. These gems, tracked as sonatype-2020-1222 by us, are:

  • pretty_color

  • ruby-bitcoin

The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user's clipboard with the attacker's.

This means if a user who had mistakenly installed either of these gems was to copy-paste a Bitcoin recipient wallet address somewhere on their system, the address would be replaced with that of the attacker, who’d now receive the Bitcoins.

This news follows shortly after Sonatype's discovery of many typosquatting and brandjacking open source malware, such as discord.dll, twilio-npm, electorn, and others.

Gem contained legitimate code from real packages with malicious code snuck in

Although the malicious gems were removed from RubyGems, Sonatype's archives within our next-generation data services, Sonatype Intelligence, had retained copies of these gems for analysis.

On digging deeper, we can provide a thorough analysis of what the malicious gems intended to do, and what stood out.

To complicate matters and make detection harder, pretty_color contains legitimate files that are taken from a trusted open source component, colorize. In fact, pretty_color is an identical replica of the benign colorize package and has all its code, including a fully descriptive README.

What does stand out though, is the presence of a mysterious version.rb file that a casual observer may otherwise overlook by mistaking it for version metadata.


Image: file structure of pretty_color gem which has the malicious "version.rb" file mixed with otherwise legitimate files of the colorize package

Snuck within version.rb is obfuscated code which, on Windows systems, generates and runs a malicious VBScript the_Score.vbs.

Notice, present on line 8 is a snarky comment, what appears to be the malware publishers calling out Tomislav Maljic, the ReversingLabs threat analyst who had previously unveiled over 700 typosquatting RubyGems that mined Bitcoins on infected machines, tracked as sonatype-2020-0196 by Sonatype.

Injects attacker's Bitcoin wallet address within the clipboard

On decoding the malicious code which goes into the_Score.vbs, and reformatting it, Sonatype Security Research team observed the code carried out a few tasks:

  1. Created (dropped) another malicious VBScript at %PROGRAMDATA%\Microsoft Essentials\Software Essentials.vbs
  2. This new VBScript monitors the user’s clipboard every second for a Bitcoin address and replaces it with the attacker’s wallet address
  3. To achieve persistence, the_Score.vbs also adds the path of the newly dropped Software Essentials.vbs to the appropriate Windows registry key, to make the malware run every time the system boots.

In effect, this would mean, if a user had copied a recipient's Bitcoin address anywhere on their system infected with pretty_color, their clipboard would now quietly contain the attacker’s Bitcoin wallet address.

Had the user been making an outgoing cryptocurrency transaction and didn't review if the address they had copied to their clipboard matches what they had pasted, the Bitcoins would be sent to the attacker.

Recall, previously identified 700+ Bitcoins also installed persistent Bitcoin-leeching malware which frequently monitored clipboard for a Bitcoin address, replacing it with the attacker's.

The other malicious gem ruby-bitcoin is much simpler and only contains the malicious code which was present in version.rb (of pretty_color).

Image: ruby-bitcoin contains just one file extconf.rb which is the same malicious file as version.rb in pretty_color

A variant of the plaintext code for the_Score.vbs generated by the obfuscated version.rb has also existed on GitHub, under an unrelated third party's account. Although the identical file on GitHub is called "wannacry.vbs," Sonatype Security Research team did not find any hard evidence linking the code to the original WannaCry ransomware operators.

Of all activities a ransomware group may conduct on a compromised system, replacing Bitcoin wallet address on the clipboard feels more akin to a trivial mischief by an amateur threat actor than to a sophisticated ransomware operation.

However, this coincidence does raise a bigger concern, considering how rampant software supply chain attacks have been in 2020.

Software supply chain attacks are drawing adversaries in, would ransomware ops be next?

Will ransomware operators be the next threat actors to exploit trust within the open source ecosystem?

After all, open source software repositories are used by both government and private organizations in developing mission-critical applications.

This month, nation-state hackers managed to breach FireEye, U.S. Treasury department, DHS and many federal agencies by pushing tampered SolarWinds Orion updates downstream to around 18,000 customers.

Although, malicious use cases of counterfeit open source components seen thus far have largely been limited to spreading Discord malware, mining Bitcoins, or compromising a system via known trojans, recurring incidents of 2020 are a sign that attacks on software supply chains are only expected to grow and be adopted by more advanced threat actors over time.

According to Sonatype's 2020 State of the Software Supply Chain report, next-generation upstream software supply chain attacks are far more sinister because bad actors are no longer waiting for public vulnerability disclosures. Instead, they are taking the initiative to contribute code to open source projects and then, unbeknownst to the other OSS project maintainers, injecting malicious code. Those code changes then make their way into open source projects that feed the software supply chains of developers around the world.

By shifting their focus upstream (i.e., publishing malicious components in open source repositories), bad actors can infect a single component, which will then be distributed downstream using trusted software workflows and transitive dependencies.

Our 2020 report also shows that this is happening at a rapidly increased rate. In fact, there was a 430% increase in upstream software supply chain attacks over the past year. Keeping this in mind, it is virtually impossible to manually chase and keep track of such components.

---

Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

If you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free Sonatype Vulnerability Scanner to find out quickly.

Visit the Sonatype Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive Sonatype Intelligence Insights hot off the press.