Recently, two malicious packages were found masquerading as a bitcoin library. Read on to know more…
Over the past few months, attackers have increasingly targeted the software supply chain by populating package managers and code marketplaces with malicious code. Open-source security firm Sonatype reported that two malicious Ruby packages have been observed installing a clipboard hijacker that executes itself persistently on infected Windows machines. If developers integrate the malicious packages with their project, it would create a supply chain attack.
Observations
The two malicious packages: ruby-bitcoin and pretty_color, were found masquerading as a bitcoin library and a library for showing strings with various color effects, respectively. The ruby-bitcoin included an extconf[.]rb script with an obfuscated base64 encoded string. This creates a malicious VBS file and sets it up to start automatically whenever a user logs into Windows.
The package pretty_color had valid files that were taken from a trusted open-source component, colorize. It was an exact copy of the benign colorize package and has all its code, including README. The ruby-bitcoin package was added to RubyGems on December 7 with 81 downloads. Another one, the pretty_color package was added on December 13, having 61 downloads.
None of the cryptocurrency addresses had received any funds as both the malicious clipboard packages were removed just a day after being added to their repository. The victim is unlikely to notice that the wallet address copied is different from the one being pasted, allowing the attacker to intercept transactions and steal cryptocurrency funds.
Working Mechanism
A clipboard hijacker monitors the Windows clipboard for cryptocurrency addresses, and if one is detected, replaces it with an address under the attacker’s control. Unless a user double-checks the address after they paste it, the sent coins will go to the attacker’s cryptocurrency address instead of the intended recipient.
The malicious packages are named ‘pretty_color-0.8.1.gem’ and ‘ruby-bitcoin-0.0.20.gem’ and contain a malicious Ruby script that creates VBS scripts that act as clipboard hijackers.
Recent Supply Chain Attacks
Supply chain attacks are growing because a single intrusion in a project can affect or target multiple users without any hassle. Recently, Trojanized versions of SolarWinds’ Orion software were used in a massive supply chain attack across several U.S. Federal agencies. In early-December, malicious NPM packages were observed to be installing the njRAT remote access trojan.
Conclusion
Software supply chains are expected to grow and could be exploited more by advanced threat actors in the coming time. Thus, experts suggest organizations frequently assess their supplier network, know the risks related to third-party suppliers, and implement a cybersecurity plan considering supply chain management.