Pierluigi Paganini August 20, 2019

Maintainers of the RubyGems package repository have removed 18 malicious versions of 11 Ruby libraries that contained a backdoor.

Maintainers of the RubyGems package repository have discovered a backdoor mechanism in 18 malicious versions of 11 Ruby libraries.

The backdoor was used by attackers to inject mining code in Ruby projects using the malicious versions of the libraries.

One of the most popular Ruby libraries, the rest-client, was found containing the malicious code yesterday.

The malicious code was included in four versions of rest-client.

“It seems that rest-client 1.6.13 is uploaded to rubygems.org. I did review between 1.6.9 and 1.6.13 and it seems that latest version evaluate remote code from pastebin.com and sends information to mironanoru[.]zzz.com [.]ua ” reported a user on GitHub.

The Ruby developer Jan Dintel, who analyzed the code, discovered it would collect and send the environment variables of a compromised system (i.e. credentials of services used by the compromised system such as use database, payment service provider) to a remote server in Ukraine.

“Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider,” Dintel wrote. “Attacker needed to send a signed (using the attacker’s own key) cookie with the Ruby code to run.It overloaded the #authenticate method on the Identity class. Every time the method gets called it will send the email/password to the attacker.”

The backdoor mechanism could be triggered by the attacker by sending a signed cookie, then the code will send captured credentials back to the attackers. The backdoor also allow the attacker to execute arbitrary commands on the compromised system.

RubyGems maintainers discovered that the backdoor mechanism was used by threat actors to insert cryto-mining code in the projects using the malicious versions of the libraries. At least another 10 projects were found containing the malicious code.

The attacker is believed to be active for more than a month without being detected until the account of rest-client developer Matthew Manning was compromised to push four malicious versions of rest-client on RubyGems.

The total number of malicious versions of the libraries was 18 and were downloaded 3,584 before being removed from RubyGems.

Projects that rely on the backdoored libraries have to remove dependencies from malicious libraries and use new secure ones.

Earlier in July, the developer Tute Costa found a similar backdoor in the Ruby strong_password library during regular security audits. The dangerous code was used to check the password strength of user-chosen passwords when the library was being used in a production environment.

In production, the code would download a payload from Pastebin.com and execute it to create the actual backdoor in the application that used the strong_password library.

Pierluigi Paganini

(SecurityAffairs – LibreOffice, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]