RubyGems Catches Two Packages Trying to Steal Cryptocurrency with Clipboard Hijacking

One day after they were uploaded, RubyGems discovered and removed two malicious packages that had been designed to steal cryptocurrency from unsuspecting users by installing a clipboard hijacker, reports Bleeping Computer, citing research by open-source security firm Sonatype.

Fortunately, while the packages were downloaded a total of 142 times, "At this time, none of the cryptocurrency addresses have received any funds." These packages were masquerading as a bitcoin library and a library for displaying strings with different color effects. A clipboard hijacker monitored the Windows clipboard for cryptocurrency addresses, and if one is detected, replaces it with an address under the attacker's control. Unless a user double-checks the address after they paste it, the sent coins will go to the attacker's cryptocurrency address instead of the intended recipient...

The base64 encoded string is a VBS file that is executed to create another malicious VBS file and configure it to start automatically when a user logs into Windows. This VBS script is the clipboard hijacker and is stored at C:\ProgramData\Microsoft Essentials\Software Essentials.vbs to impersonate the old Microsoft Security Essentials security software. The clipboard hijacking script monitors the Windows clipboard every second and check if it contains a Bitcoin address, an Ethereum address, or a raw Monero address.

Wait...

[telek83]

People use ruby in Windows?

Re:Wait...

[NateFromMich]

People use ruby?

Re:

[lsllll]

Came here to say just this. Of all the gin joints ...

Re:Wait...

[Aighearach]

It is shocking how quick and easy Ruby on windows can download C code from RubyGems and compile it, even though it was all written and tested on *nix.

Even code I wrote in 2004, in C, targeting an old version of the Ruby C API, it still compiles just fine, since I didn't use any weird stuff that would change.

The Gtk GUI that I wrote in 2010 on Linux worked fine on Windows, no porting was needed. Just install the Windows Gtk package, and it works as expected. And it still works today, with an updated Ruby.

So while it is true that the vast majority of Ruby code is written on *nix workstations and run on *nix servers, it is also true that it all works smoothly on Windows without porting. Sometimes it gets used for portable clients.

So it can steal pubkeys?

[nyet]

Who in their right mind would put a private key in a clipboard?

It should check the URL for common crypto sites and copy logins, not pubkeys.

Re:

[ClueHammer]

Its not a private key. Its a public address for payments...

Re:

[nyet]

Exactly. You can't steal anything with just a pubkey.

Re:

[ClueHammer]

Re read the article. They are replacing the deposit address with their own address So the sender send to to the wrong person. It is redirecting payments, not withdrawing directly from their account.

Re:

[nyet]

Ah thanks.

Re:

[gweihir]

Who in their right mind puts a cryptocurrency valet on a machine they do other stuff on? Well, who in their right mind busy cryptocurrency, so that answers my first question nicely. Whether they lose it to theft or the next "dump" cycle is really immaterial. I vote for leaving these two packages active.

Yet another Windows exploit.

[couchslug]

This is yet another reason to use only one exclusively dedicated device for crypto management.
Hardware is trivially cheap so no reason exists to use Windows for crypto. I don't use it for shopping or banking either. Windows is for the very minimum of necessary applications requiring it.

Re:

[gweihir]

Will you morons learn that this is "cryptocurrency" and that "crypto" is already an abbreviation for cryptography? "Using crypto" means things like running PGP or using openssl.

Lets keep distracting from MICROS~1

[minorityreport]

What a coincidence, these stories popping up right in the middle of the SolarWinds hack [indianexpress.com]