Sonatype experts have discovered the pretty_color and ruby-bitcoin malicious packages in the official RubyGems repository. The malware has already been removed from the platform.
The malware hidden in the aforementioned packages targeted Windows machines and changed the addresses of any cryptocurrency wallets in the clipboard to the attackers’ wallet address. In essence, the malware helped hackers intercept transactions and steal someone else’s cryptocurrency.
The researchers write that pretty_color contained legitimate files for colorize, a well-known and reliable open source component, making it difficult to detect the threat.
“In fact, pretty_color is an identical copy of the colorize package and contains all of its code, including the complete README file,” reads the expert report.
The package also included a file named version.rb, which supposedly contained version metadata, but in fact contained obfuscated code designed to run a malicious script on Windows computers.
The code also saw a sarcastic mention of ReversingLabs threat analyst Tomislav Maljic, who in the spring of 2020 identified more than 700 malicious RubyGems libraries designed to mine bitcoins on infected machines. All the malware detected at that time were clones of various legitimate libraries. They used the typosquatting technique, that is, they had names deliberately similar to the originals, and even worked, but also contained additional malicious files.
According to Sonatype researchers, the ruby-bitcoin package contains only malicious code (the same as in the version.rb file from pretty_color).
Interestingly, the text version of the malicious script used in these attacks was discovered by experts on GitHub under an unrelated account called wannacry.vbs , although there is definitely no connection with WannaCry malware.