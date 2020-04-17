ReversingLabs security researchers say they have discovered 725 Ruby libraries uploaded to the official RubyGems repository containing malware intended to hijack users’ clipboards.

Two accounts were uploaded to RubyGems between Feb. 16 and 25, JimCarrey and PeterGibbons.

The 725 fully-featured libraries were removed two days later, on February 27, after the ReversingLabs team notified the RubyGems security team.

All Ruby libraries were copies of legitimate libraries, similar names were used, functioned as intended, but also contained additional malicious files.

The additional file inserted in each package was named aaa.png. However, ReversingLabs says this file was not a PNG image but was executable by Windows PE.

The installation of each of the malicious libraries triggered a chain of infection that looked like this:

The PE file dropped a Ruby script named aaa.rb that contains the Ruby shell and all the dependencies it needs to run.

The Ruby script dropped a Visual Basic script called oh.vbs

This script then set up an author registry key

Then the autorun key ran a second Visual Basic script every time a computer was restarted / restarted.

This second script would capture data sent to the clipboard, look for text patterns that look like cryptocurrency addresses, and then replace the text with the attacker’s address.

Image: ReversingLabs

ReversingLabs says that thousands of users downloaded the libraries. However, from a Bitcoin address shared by researchers in their report, it appears that the attackers had not been able to hijack any payments during the recent attack.

Researchers say they believe this attack was performed by the same person / group who uploaded libraries with malware to the RubyGems package repository before, in 2018 and 2019, both incidents using similar techniques and also aimed at stealing money from users. of cryptocurrency.

This also marks the second time that ReversingLabs has found malicious libraries hung in a package repository. In July 2019, the company also found three Python malicious libraries uploaded to the PyPI portal.