Two Rubygems Contaminated With Crypto-Stealing Characteristic Malware Noticed by Researchers


New infected Rubygems packages containing malicious code, primarily used to steal cryptocurrencies from users via supply chain attacks, were discovered in its open source software repository.

Two cryptocurrency stealer Rubygems discovered by researchers at Sonatype

According to Ax Sharma, a security researcher at Sonatype, the two gems discovered – Pretty_Color and Ruby-Bitcoin – had malware that triggered the attack on Windows computers and all of them were Bitcoin (BTC), Ethereum (ETH) or Monero (XMR) Wallets replaced addresses that the attackers found on the victim’s clipboard.

Rubygems is a package manager for the Ruby programming language that allows developers to integrate code developed by other people. Anyone can upload a “gem” to the repository and in some way open the doors for threat actors to upload their malicious packages.

The researcher went on to explain how the attack works:

This means that if a user who accidentally installed one of these jewels wants to copy and paste a Bitcoin recipient wallet address somewhere on their system, the address will be replaced with that of the attacker who has now received the Bitcoins.

An analysis conducted by the Sonatype Security Research team found that the clipboard hijacker deployed during the supply chain attack silently changes the address by creating separate malicious scripts contained in the VBS files.

Supply Chain Attacks: A Growing Problem

Sharma also warned of the growing trend that supply chain attacks have been happening so far in 2020, considering this a “bigger problem”.

According to Sonatype’s 2020 State of the Software Supply Chain Report, there has been a 430% increase in attacks on the upstream software supply chain over the past year, making it “virtually impossible” to manually track and trace such components.

Sonatypes Sharma adds:

Of all the activities that a ransomware group can do on a compromised system, replacing the Bitcoin wallet address on the clipboard is more like a trivial nonsense of an amateur threat actor than a sophisticated ransomware operation. However, this coincidence is a cause of greater concern considering how widespread the attacks on the software supply chain were in 2020.

Will we see a leading role in crypto-related supply chain attacks in 2021? Let us know in the comments below.

Tags in this story

Crypto Wallet, Cryptocurrency Security, Cryptocurrency Wallet, Cybersecurity, Hijack, Protection, Security, Security Analysis, Security Breach, Supply Chain, Wallet Address

Photo credit: Shutterstock, Pixabay, Wiki Commons

Disclaimer of liability: This article is for informational purposes only. It is not a direct offer or a solicitation of an offer to buy or sell or a recommendation or approval of products, services or companies. does not provide investment, tax, legal, or accounting advice. Neither the company nor the author are directly or indirectly responsible for any damage or loss caused or allegedly caused by or in connection with the use or reliance on any content, goods or services mentioned in this article.

You might also like

Leave A Reply

Your email address will not be published.