Bitcoin Stealers Hide in 700+ Ruby Developer Libraries

2020-04-20 16:23

A legitimate file may be called "Thisisafile.exe," while a malicious impersonator may call itself "This1safile.exe." Unobservant users could thus download the malicious file by mistake.

If developers accidentally downloaded the rogue files instead of the legitimate gems they were looking for, the software packages they built using the libraries would automatically harbor the Bitcoin-stealer, endangering all users of that software.

Upon further inspection of the suspicious files, the research team found there to be a high number of portable executable files present, all carrying the file name "Aaa.png." These PE files, masquerading as image files, were also located on the same path in every analyzed suspicious gem: "/ext/trellislike/unflaming/waffling/".

"Extensions are used to wrap separate libraries written in C with a Ruby wrapper. By convention, if extensions are used, everything related to them is placed into the ext directory along with the extconf.rb file," explained Maljic.

The extracted Ruby script contains Base64-encoded VBScript that is decoded and saved to the "Oh.vbs" file.

News URL

https://threatpost.com/bitcoin-stealers-700-ruby-developer-libraries/154937/

#bitcoin #developer #libraries #ruby

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Bitcoin		6	0	27	13	0	40