Hackers are leveraging on typosquatting technique where intentionally misspelled legitimate packages are uploaded to RubyGems in hopes that unsuspecting developers who mistype the name will unintentionally install the malicious library.
While RubyGems is a package manager for Ruby programming language that offers a standard format for distributing programs and libraries, and easily manage the installation of gems, with a server for distributing them.
Researchers at ReversingLabs discovered over 700 malicious gems that supply-chain attackers were caught distributing through the RubyGems repository, with most of them designed to steal funds secretly by redirecting cryptocurrency transactions to another wallet address under the attacker's control.
How the Researchers Discovered the Typosquatted RubyGems Libraries?
The ReversingLabs researchers used a list of popular gems as baseline for their investigation, and monitored new gems that were recently published in the repository, which they'll flag once any library had a similar name with those on the baseline list.
As a form of brandjacking attack, Typosquatting typically relies on mistypes of web address or library name which tends to mimic popular packages in the software registries. According to the researchers, there were several packages such as "atlas-client" posing as the "atlas_client" gem, which contains portable executables (PEs) masquerading as a harmless image file ("aaa.png").
The image file on installation is renamed from 'aaa.png' to 'a.exe' and executed, with a VBScript encoded content in Base64 that enables the malware gain persistence root access on the infected system and run anytime it is rebooted or started.
And the VBScript not only captures the victim's clipboard content continuously, but replaces the address with an attacker-controlled alternative, if it finds that the clipboard data matches the format of a cryptocurrency wallet address.
Why Developers should beware of the Rise in Typosquatting?
This type of attack, known as typosquatting, isn't new, with popular repository platforms including the Python Package Index (PyPi) and Node.js package manager (npm), which is owned by GitHub, having all served as past attack vectors in typosquatted malware distributions.
During submission of software packages, there is often lack of scrutiny in the review and approval process, and that has been a boon of some sort to malware authors for publishing Trojanized libraries which mimics existing packages.
Therefore, developers are advised to always check to make sure that they've used the correct package names, and so don't unintentionally download malware libraries into their projects, or use the typosquatted versions.