{"id":53175,"date":"2020-12-19T09:01:14","date_gmt":"2020-12-19T09:01:14","guid":{"rendered":"https:\/\/www.cryptocabaret.com\/?p=53175"},"modified":"2020-12-19T09:01:14","modified_gmt":"2020-12-19T09:01:14","slug":"two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers","status":"publish","type":"post","link":"https:\/\/www.cryptocabaret.com\/?p=53175","title":{"rendered":"Two Rubygems Infected With Crypto-Stealing Feature Malware Spotted by Researchers"},"content":{"rendered":"<p><img decoding=\"async\" width=\"696\" height=\"392\" src=\"https:\/\/www.cryptocabaret.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-768x432.jpg\" class=\"attachment-medium_large size-medium_large wp-post-image\" alt=\"Two Rubygems Infected With Crypto-Stealing Feature Malware Spotted by Researchers\" loading=\"lazy\" srcset=\"https:\/\/www.cryptocabaret.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-768x432.jpg 768w, https:\/\/news.bitcoin.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-300x169.jpg 300w, https:\/\/news.bitcoin.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-1024x576.jpg 1024w, https:\/\/news.bitcoin.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-696x392.jpg 696w, https:\/\/news.bitcoin.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-1068x601.jpg 1068w, https:\/\/news.bitcoin.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-747x420.jpg 747w, https:\/\/news.bitcoin.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-190x107.jpg 190w, https:\/\/news.bitcoin.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-380x214.jpg 380w, https:\/\/news.bitcoin.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers-760x428.jpg 760w, https:\/\/news.bitcoin.com\/wp-content\/uploads\/2020\/12\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers.jpg 1280w\" sizes=\"auto, (max-width: 696px) 100vw, 696px\"><\/p>\n<p><strong>New infected Rubygems packages have been spotted in its open-source software repository and which contained malicious code mainly used to steal cryptocurrencies from users via supply chain attack.<\/strong><\/p>\n<h2>Two Cryptocurrency-Stealers Rubygems Detected by Researchers at Sonatype<\/h2>\n<p>According to Ax Sharma, a security researcher at Sonatype, the two gems <a href=\"https:\/\/blog.sonatype.com\/rubygems-laced-with-bitcoin-stealing-malware\">detected<\/a> \u2014 pretty_color and ruby-bitcoin \u2014 had malware that deployed the attack on Windows machines and replaced any bitcoin (<a class=\"lar-automated-link\" href=\"https:\/\/markets.bitcoin.com\/crypto\/BTC\" target=\"_blank\" rel=\"noopener noreferrer\">BTC<\/a>), ethereum (<a class=\"lar-automated-link\" href=\"https:\/\/markets.bitcoin.com\/crypto\/ETH\" target=\"_blank\" rel=\"noopener noreferrer\">ETH<\/a>), or monero (<a class=\"lar-automated-link\" href=\"https:\/\/markets.bitcoin.com\/crypto\/XMR\" target=\"_blank\" rel=\"noopener noreferrer\">XMR<\/a>) wallet addresses found on the victim\u2019s clipboard by the attackers\u2019 ones.<\/p>\n<p>Rubygems is a package manager for the Ruby programming language that allows developers to integrate code developed by other people. Anyone can upload a \u201cgem\u201d to the repository, open in some way the doors for threat actors to upload their malicious packages.<\/p>\n<p>The researcher explained further about how the attack operates:<\/p>\n<blockquote>\n<p>This means if a user who had mistakenly installed either of these gems was to copy-paste a bitcoin recipient wallet address somewhere on their system, the address would be replaced with that of the attacker, who\u2019d now receive the bitcoins.<\/p>\n<\/blockquote>\n<p>During an analysis conducted by the Sonatype Security Research team, it was detected that unless the victim double-checks the wallet address after they paste it, the clipboard hijacker deployed during the supply chain attack will quietly change the address by creating separate malicious scripts contained in VBS files.<\/p>\n<p><!-- growjs zone placement 31 --> <ins> <ins class=\"growjs-placement\"><\/ins> <\/ins> <!-- end of growjs zone placement --> <\/p>\n<h2>Supply Chain Attacks: A Growing Concern<\/h2>\n<p>Sharma also warned on the growing trend that supply chain attacks have so far in 2020, considering it a \u201cbigger concern.\u201d<\/p>\n<p>According to Sonatype\u2019s <a href=\"https:\/\/www.sonatype.com\/2020ssc\">2020 State of the Software Supply Chain report<\/a>, there was a 430% increase in upstream software supply chain attacks over the past year, making it \u201cvirtually impossible\u201d to chase and keep track of such components manually.<\/p>\n<p>Sonatype\u2019s Sharma adds:<\/p>\n<blockquote>\n<p>Of all activities a ransomware group may conduct on a compromised system, replacing bitcoin wallet address on the clipboard feels more akin to a trivial mischief by an amateur threat actor than to a sophisticated ransomware operation. However, this coincidence does raise a bigger concern, considering how rampant software supply chain attacks have been in 2020.<\/p>\n<\/blockquote>\n<p><em><strong>Will we see a leading role in crypto-related supply chain attacks in 2021? Let us know in the comments section below.<\/strong><\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/news.bitcoin.com\/two-rubygems-infected-with-crypto-stealing-feature-malware-spotted-by-researchers\/\">Two Rubygems Infected With Crypto-Stealing Feature Malware Spotted by Researchers<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/news.bitcoin.com\/\">Bitcoin News<\/a>.<\/p>\n<p class=\"wpematico_credit\"><small>Powered by <a href=\"http:\/\/www.wpematico.com\" target=\"_blank\" rel=\"noopener noreferrer\">WPeMatico<\/a><\/small><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New infected Rubygems packages have been spotted in its open-source software repository and which contained malicious code mainly used to steal cryptocurrencies from users via supply chain attack. Two Cryptocurrency-Stealers Rubygems Detected by Researchers at Sonatype According to Ax Sharma, a security researcher at Sonatype, the two gems detected \u2014 pretty_color and ruby-bitcoin \u2014 had [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":53176,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[309],"tags":[],"class_list":["post-53175","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/posts\/53175","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=53175"}],"version-history":[{"count":0,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/posts\/53175\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/media\/53176"}],"wp:attachment":[{"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=53175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=53175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=53175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}