Targeting developer accounts, sixty malicious ruby gems with credential-chori codes have been downloaded from March 2023 more than 275,000 times.
The malicious ruby gems were discovered by the socket, which reports that they have targeted South Korean users mainly of automation tools for Instagram, Ticketkok, Twitter/X, Telegram, Navar, WordPress and Kakao.
RubyGems is the official package manager for ruby programming language, which enables the distribution, installation and management of ruby libraries, known as gems, much more for JavaScript Pypi for NPM or Python for JavaScript.
In this campaign, malicious gems were published on rubygems.org under various surnames for years. Objectionable publishers are zones, novon, quonsoonje and desert, which spread activity on many accounts and make the activity hard to trace and block.
Can be found in a complete list of malicious packages Socut reportBut there are some notable cases of misleadically nominated or typoscated package:
- WordPress-style automater: wp_posting_duo, wp_posting_zon
- Telegram-style bots: tg_send_duo, tg_send_zon
- SEO/Backlink Tools: Backlink_zone, Back_duo
- Blog platforms mimics: nblog_duo, nblog_zon, tblog_duopack, tblog_zon
- NAVER CAFĂ© Interaction Tool: Cafe_Basics (_duo), cafe_buy (_duo), cafe_bey, *_blog_comment, *_cafe_comment
All 60 gems highlighted in the socket report presents a graphical user interface (GUI) that is valid, as well as advertised functionality.
In practice, however, they act as a fishing tools, exfiltrate credentials users, who enter the Hardcode Command-And-Control (C2) addresses (Programzon (.) Com, appspace () kr, marketingduo (.) Co (.) KR (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr (.) Kr.
Source: socket
The chopped data includes user names and passwords, device for fingerprinting and package names for expedition display tracking.
In some cases, equipment reacts with a fake success or failure message, although no real login or API calls are made for real service.
The socket has found credential logs on the dark-dark dark markets that appear to be obtained from these gems, which is connected to a suspected marketing tool site attacker, based on interaction with MarketingDuo (.) Cum (.) KR.
Source: socket
Researchers say that at least 16 of the 60 malicious ruby gems are available, although they have reported all of them to the rubies team on the search.
Attacks of the supply chain on rubygems are not unprecedented, and they have been running for many years.
In June, the socket reports another case of malicious ruby gems, which types Fastlane, a legitimate open-source plugin that acts as an automation tool for mobile app developers, especially the telegram bot developers.
Developers should check the libraries that they are for sources from the open-source repository, such as for signs of suspected codes, which consider publisher’s reputation and release history, and lock dependence to ‘known to be safe’.
Malware targeting password stores increased 3x as the attackers secretly carried out the perfect history landscape, infiltrated and exploited important systems.
Search for the top 10 Metter Att & CK techniques behind the 93% attacks and how to defend them.
