ReversingLabs Company application analysis results in the RubyGems repository. Typically, typesquatting is used to distribute malicious packages that are calculated to cause an inattentive developer to make a typo or not notice the difference when searching. The study identified more than 700 packages whose names are similar to popular packages and differ in minor details, such as replacing similar letters or using underscores instead of dashes.
In more than 400 packages, components suspected of committing malicious activities were found. In particular, inside was the aaa.png file, which included the executable code in PE format. These packages were associated with two accounts through which, from February 16 to February 25, 2020, , which in total were downloaded about 95 thousand times. The researchers informed the RubyGems administration and the identified malicious packages have already been removed from the repository.
Of the identified problematic packages, the most popular was "atlas-client", which at first glance is almost indistinguishable from the legitimate package "". The specified package was downloaded 2100 times (the normal package was downloaded 6496 times, i.e. users were wrong in almost 25% of cases). The rest of the packages were downloaded on average 100-150 times and camouflaged as other packages using a similar underscore and dash replacement technique (for example, among : appium-lib, action-mailer_cache_delivery, activemodel_validators, asciidoctor_bibliography, assets-pipeline, apress_validators, ar_octopus-replication-tracking, aliyun-open_search, aliyun-mns, ab_split, apns-polite).
The malicious packages included a PNG file that, instead of an image, contained an executable file for the platform. WindowsThe file was generated using the Ocra Ruby2Exe utility and included a self-extracting archive with a Ruby script and a Ruby interpreter. When the package was installed, the png file was renamed to .exe and launched. During execution, a VBScript file was created and added to startup. This malicious VBScript looped through the clipboard for information resembling crypto wallet addresses. If any were detected, it substituted the wallet number, hoping the user would overlook the difference and transfer funds to the wrong wallet.
The conducted research has shown that it is not difficult to achieve the addition of malicious packages to one of the most popular repositories and these packages can go unnoticed, despite a significant number of downloads. It should be noted that the problem RubyGems and touches on other popular repositories. For example, last year the same researchers in the NPM repository, a malicious bb-builder package that uses a similar technique to launch an executable to steal passwords. Before that, the backdoor was depending on the NPM package event-stream and the malicious code was downloaded about 8 million times. Malicious packages also in the PyPI repository.
Source: opennet.ru
