760+ malicious packages found typosquatting on RubyGems

Researchers have discovered over 760 malicious Ruby packages (aka “gems”) typosquatting on RubyGems, the Ruby community’s gem repository / hosting service.

typosquatting RubyGems

The discovery

ReversingLabs analysts wanted to see how widespread the practice of package typosquatting is within RubyGems.

The practice refers to the intentional use of package names very similar to those of popular packages (e.g., atlas-client instead of atlas_client), with the ostensible intention of tricking users into executing them and, therefore, unknowingly running malicious code.

“We crafted a list of the most popular gems to use as a baseline. On a weekly basis, we collected gems that were newly pushed to the RubyGems repository. If we detected a new gem with a similar name to any of the baseline list gems, we flagged it as interesting for analysis,” threat analyst Tomislav Maljić explained.

After analyzing them, they found that all contained an executable file with the same filename and the PNG extension, which they assume was used to masquerade the executable as an image file. The file was also located on the same path in every gem.

The packages also contained a gemspec file – a type of file that contains basic metadata about the gem but can also include information about extensions – which runs an extension that checks the target platform and if it’s Windows, it renames the PNG file into an EXE file and executes it.


A Ruby script is then run that creates an additional script, which in its turn:

  • Sreates an autorun registry key to assure persistence
  • Captures the user’s clipboard data in an infinite loop
  • Checks whether the data matches the format of a cryptocurrency wallet address and, if it does, replaces it with the address with an attacker-controlled one.

Its goal is to redirect all potential cryptocurrency transactions to the attacker’s wallet.

Repeated attacks

All the malicious gems were published by two accounts, which the researchers believe were created by the same threat actor. In fact, they believe that the same threat actor mounted at least two previous malicious campaigns against the RubyGems repository.

“The same file path ‘/ext/trellislike/unflaming/waffling/’ was used in all the attacks. Likewise, the malicious intent was related to cryptomining in all cases,” Maljić explained their reasoning.

ReversingLabs provided a list of the affected packages, which have since been removed from RubyGems. The two accounts created by the threat actor have been suspended.

This is not the first time threat actors tried to plant malicious packages in software repositories for popular programming languages. ReversingLabs previously flagged a batch of malicious Python libraries hosted on Python Package Index (PyPI), and developer Jussi Koljonen found that several older versions of popular Ruby packages on RubyGems were trojanized to steal information and mine cryptocurrency.

Kwampirs threat actor continues to breach transnational healthcare orgs

The Kwampirs (aka Orangeworm) attack group continues to target global healthcare entities in this time of crisis, the FBI has warned.


“Targeted entities range from major transnational healthcare companies to local hospital organizations,” the Bureau noted.

“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.”


This is the third FBI private industry notification since the beginning of the year about the group’s activities and the modular Kwampirs RAT it uses.

According to the alert:

  • The attack group first establishes a broad and persistent presence on the targeted network and then delivers and executes the Kwampir RAT and other malicious payloads
  • Kwampirs actors have successfully gained and sustained persistent presence on victim networks for a time period ranging from three to 36 months
  • The Kwampir RAT is modular and, depending on the target, different modules are dropped. But it seems that the threat actors main goal is cyber espionage
  • Significant intrusion vectors include: lateral movement between company networks during mergers and acquisitions; malware being passed between entities through shared resources and internet facing resources during the software co-development process; and software supply chain vendors installing infected devices on the customer/corporate LAN or customer/corporate cloud infrastructure.

“Kwampirs campaign actors have targeted companies in the imaging industry, to include networked scanner and copier-type devices, with domain access to customer networks. The FBI assesses these imaging vendors are targeted to gain access to customer networks, including remote or cloud management access, which could permit lateral CNE movement within victim networks,” the FBI added.

While the Kwampirs/Orangeworm threat actors is considered to be an APT (Advanced Persistent Threat), it is currently unknown whether they are state-backed.

What is known is that they don’t go after PII, payment card data, and are not interested in destroying or encrypting data for ransom – though, according to the FBI, several code-based similarities exist between the Kwampirs RAT and the Shamoon/Disstrack wiper malware.

The group also doesn’t limit their targeting to healthcare and software supply chain organizations. To a lesser extent, they go after companies in the energy and engineering industry as well as financial institutions and prominent law firms, across the United States, Europe, Asia, and the Middle East.

Defense and post-infection remediation

The notice delivers best practices for network security and defense to be incorporated before infection, recommended post-infection actions and identifies residual Kwampirs RAT host artifacts that can help companies to determine if they were a victim.

Indicators of compromise and YARA rules to identify Kwampirs malware have been provided in separate documents.

SANS ISC handler (and Dean of Research at the SANS Technology Institute Twitter) Johannes Ullrich notes that Kwampirs will likely enter an organization’s network undetected as part of a software update from a trusted vendor.

“Anti-malware solutions will detect past versions. But do not put too much trust in anti-malware to detect the next version that is likely tailored to your organization,” he added, and offered helpful advice for writing abstracted detection signatures that might come in handy.

While not recently updated, the MITRE ATT&CK entry for the Kwampirs malware may also be helpful. For more technical details about the malware, you might want to check out ReversingLabs’s recent analysis.

New capabilities for ReversingLabs Splunk app automate triage, incident response, and hunting tasks

ReversingLabs, the leading provider of destructive object insights delivering SOC decision support, automation and threat analytics solutions for triage, incident response and hunting teams announced enhancements to its application for Splunk Enterprise. ReversingLabs integrated Titanium Platform enriches Splunk data with next-generation malware analysis and local threat intelligence for real-time correlation and threat detection results. New capabilities for ReversingLabs Splunk application further automate triage, incident response, and hunting tasks for security operations analysts, architects and threat … More

The post New capabilities for ReversingLabs Splunk app automate triage, incident response, and hunting tasks appeared first on Help Net Security.