ReversingLabs announced that the latest researches unveiled typosquatted packages uploaded to RubyGems in February. Uploading intentionally misspelled packages hoping that developers install the malicious library instead is the most common typosquatting technique. Most of these gems aim to redirect cryptocurrency transactions to steal funds. ReversingLabs was able to detect over 760 malicious Ruby packages using their repository monitoring logic.
Titanium Platform extracts files from TAR archives and produces valuable metadata that is the key factor for further analysis. During the first week of monitoring flagged over 400 gems as interesting. During the processing, the Titanium Platform managed to unpack 20,830 files, out of which 12,720 were unique. The PNG extension is what raises the alarm here; one can assume it was used to masquerade the executable file as an image file.
After a detailed look, researchers noticed that every “aaa.png” file was an executable located on the same path in every gem. By looking at the RubyGems repository, we discovered that all those gems originated from two user accounts: “JimCarrey” and “PeterGibbons”. These accounts uploaded 700 such gems to the RubyGems site from February 16th to 25th 2020.