In the traditional sense, we usually come across typosquatting in the form of attackers creating misspelled domain names to trick users away from legitimate sites. But this time, hackers have changed their approach.
According to the IT security researchers at Reversing Labs, a lesser-known application of typosquatting attack was seen where 700 malicious Ruby libraries or gems engineered to steal cryptocurrencies were uploaded to the RubyGems repository with misspelled names in a bid to invite unsuspicious developers to download them.
These are believed to have been done between 16 and 25 February, 2020 by two user accounts named “Jim Carrey” and “PeterGibbons” with the latter still being active at the time of discovery.
Delving into the specifics, these libraries were copies of the legitimate ones and had been modified by adding malicious files. This extra file according to ReversingLabs, the firm that revealed this entire ordeal, was named aaa.png but in fact, it was a Windows PE executable and not an image which also shows that the attack was only intended for Windows users.
Once the user installed the library, this file started its execution in a pre-defined sequence:
To explain these steps,
1- A ruby script named aaa.rb is extracted from the file which contains a Base64-encoded VB script.
2- This VB script is then decoded and added to a file named oh.vbs.
3- An autorun registry key is created at “HCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Software Essentials” ensuring the malware is “is run every time the system is started or rebooted.”
4- Then a second VB script named “Software Essentials.vbs” is run which helps in gaining access to the information on the user’s clipboard.
5- If it recognizes a cryptocurrency address present on the clipboard, it will silently replace that address with the attacker’s address: “1JkU5XdNLji4Ugbb8agEWL1ko5US42nNmc.”
However, as of now, a look at the blockchain shows us that the aforementioned address has not received any amount and is empty. This indicates the fact that their recent attacks have not been successful.
To conclude, all these malicious libraries were removed on 27 February, 2 days after ReversingLabs reported the incident to the RubyGems security team.
A lesson to be learned from this is perhaps that we had already seen a similar case with the Python Package Index (PyPi) back in July 2019 and therefore developer teams can expect future attacks of this pattern to continue.
Hence, suitable precautions need to be taken such as greater oversight on the uploaded packages along with developers taking extra care in downloading the right files.