Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Ruby Security The Almighty Buck

RubyGems Catches Two Packages Trying to Steal Cryptocurrency with Clipboard Hijacking (bleepingcomputer.com) 14

One day after they were uploaded, RubyGems discovered and removed two malicious packages that had been designed to steal cryptocurrency from unsuspecting users by installing a clipboard hijacker, reports Bleeping Computer, citing research by open-source security firm Sonatype.

Fortunately, while the packages were downloaded a total of 142 times, "At this time, none of the cryptocurrency addresses have received any funds." These packages were masquerading as a bitcoin library and a library for displaying strings with different color effects. A clipboard hijacker monitored the Windows clipboard for cryptocurrency addresses, and if one is detected, replaces it with an address under the attacker's control. Unless a user double-checks the address after they paste it, the sent coins will go to the attacker's cryptocurrency address instead of the intended recipient...

The base64 encoded string is a VBS file that is executed to create another malicious VBS file and configure it to start automatically when a user logs into Windows. This VBS script is the clipboard hijacker and is stored at C:\ProgramData\Microsoft Essentials\Software Essentials.vbs to impersonate the old Microsoft Security Essentials security software. The clipboard hijacking script monitors the Windows clipboard every second and check if it contains a Bitcoin address, an Ethereum address, or a raw Monero address.

This discussion has been archived. No new comments can be posted.

RubyGems Catches Two Packages Trying to Steal Cryptocurrency with Clipboard Hijacking

Comments Filter:
  • People use ruby in Windows?

    • Re:Wait... (Score:4, Insightful)

      by NateFromMich ( 6359610 ) on Saturday December 19, 2020 @08:54PM (#60849894)
      People use ruby?
    • Re:Wait... (Score:4, Informative)

      by Aighearach ( 97333 ) on Saturday December 19, 2020 @09:02PM (#60849900)

      It is shocking how quick and easy Ruby on windows can download C code from RubyGems and compile it, even though it was all written and tested on *nix.

      Even code I wrote in 2004, in C, targeting an old version of the Ruby C API, it still compiles just fine, since I didn't use any weird stuff that would change.

      The Gtk GUI that I wrote in 2010 on Linux worked fine on Windows, no porting was needed. Just install the Windows Gtk package, and it works as expected. And it still works today, with an updated Ruby.

      So while it is true that the vast majority of Ruby code is written on *nix workstations and run on *nix servers, it is also true that it all works smoothly on Windows without porting. Sometimes it gets used for portable clients.

  • Who in their right mind would put a private key in a clipboard?

    It should check the URL for common crypto sites and copy logins, not pubkeys.

    • Its not a private key. Its a public address for payments...
      • by nyet ( 19118 )

        Exactly. You can't steal anything with just a pubkey.

        • Re read the article. They are replacing the deposit address with their own address So the sender send to to the wrong person. It is redirecting payments, not withdrawing directly from their account.
    • by gweihir ( 88907 )

      Who in their right mind puts a cryptocurrency valet on a machine they do other stuff on? Well, who in their right mind busy cryptocurrency, so that answers my first question nicely. Whether they lose it to theft or the next "dump" cycle is really immaterial. I vote for leaving these two packages active.

  • This is yet another reason to use only one exclusively dedicated device for crypto management.
    Hardware is trivially cheap so no reason exists to use Windows for crypto. I don't use it for shopping or banking either. Windows is for the very minimum of necessary applications requiring it.

    • by gweihir ( 88907 )

      Will you morons learn that this is "cryptocurrency" and that "crypto" is already an abbreviation for cryptography? "Using crypto" means things like running PGP or using openssl.

  • What a coincidence, these stories popping up right in the middle of the SolarWinds hack [indianexpress.com]

After all is said and done, a hell of a lot more is said than done.

Working...