A few days ago the ReversingLabs researchers released through a blog post, results of an analysis of the use of typosquatting in the RubyGems repository. Typically typosquatting used to distribute malicious packages designed to allow the inattentive developer to make a typo or not notice the difference.
The study revealed more than 700 packages, cTheir names are similar to popular packages and differ in minor details, for example, replacing similar letters or using underscores instead of hyphens.
To avoid such measures, malicious people are always looking for new attack vectors. One such vector, called a software supply chain attack, is becoming increasingly popular.
Of the packages that were analyzed, it was noted that more than 400 packages were identified as containing suspicious components de malicious activity. In particular, within the The file was aaa.png, which included executable code in PE format.
About packages
The malicious packages included a PNG file containing an executable file for the Windows platform instead of an image. The file was generated using the Ocra Ruby2Exe utility and included a self-extracting archive with a Ruby script and a Ruby interpreter.
When installing the package, the png file was renamed to exe and it started. During execution, a VBScript file was created and added to autostart.
The malicious VBScript specified in a loop scanned the clipboard content for information similar to crypto wallet addresses and in case of detection, replaced the wallet number with the expectation that the user would not notice the differences and would transfer the funds to the wrong wallet.
Typosquatting is particularly interesting. Using this type of attack they intentionally name malicious packages to look as much like popular ones as possible, in the hope that an unsuspecting user will misspell the name and inadvertently install the malicious package instead.
The study showed that it is not difficult to add malicious packages to one of the most popular repositories and these packages can go unnoticed, despite a significant number of downloads. It should be noted that the issue is not specific to RubyGems and applies to other popular repositories.
For example, last year, the same researchers identified in the repository of NPM a malicious bb-builder package that uses a similar technique to run an executable file to steal passwords. Prior to this, a backdoor was found depending on the event stream NPM package and the malicious code was downloaded approximately 8 million times. Malicious packages also appear periodically in the PyPI repositories.
These packages they were associated with two accounts through which, From February 16 to February 25, 2020, 724 malicious packets were publisheds in RubyGems that in total were downloaded approximately 95 thousand times.
Researchers have informed RubyGems administration and the identified malware packages have already been removed from the repository.
These attacks indirectly threaten organizations by attacking third-party vendors that provide them with software or services. Since such vendors are generally considered trusted publishers, organizations tend to spend less time verifying that the packages they consume are truly free of malware.
Of the identified problem packages, the most popular was the atlas-client, which at first glance is almost indistinguishable from the legitimate atlas_client package. The specified package was downloaded 2100 times (normal package downloaded 6496 times, that is, users got it wrong in almost 25% of cases).
The remaining packages were downloaded on average 100-150 times and camouflaged for other packages using the same underlining and hyphen replacement technique (for example, between malicious packets: appium-lib, action-mailer_cache_delivery, activemodel_validators, asciidoctor_bibliography, assets-pipeline, assets-validators, ar_octopus- replication tracking, aliyun-open_search, aliyun-mns, ab_split, apns-polite).
If you want to know more about the study carried out, you can consult the details in the following link