Backdoor code found in 11 Ruby libraries

RubyGems staff have removed 18 malicious Ruby library versions that have been downloaded 3,584 times since July 8.
Written by Catalin Cimpanu, Contributor

Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects.

The malicious code was first discovered yesterday inside four versions of rest-client, an extremely popular Ruby library.

According to an analysis by Jan Dintel, a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine.

"Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider," Dintel said.

The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands.

A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code. RubyGems staff also uncovered similar code in 10 other projects:

rest-client: 1.6.10 (downloaded 176 times since August 13, 2019), 1.6.11 (downloaded 2 times since August 14, 2019), 1.6.12 (downloaded 3 times since August 14, 2019), and 1.6.13 (downloaded 1,061 times since August 14, 2019)
bitcoin_vanity: 4.3.3 (downloaded 8 times since May 12, 2019 )
lita_coin: 0.0.3 (downloaded 210 times since July 17, 2019)
coming-soon: 0.2.8 (downloaded 211 times since July 17, 2019)
omniauth_amazon: 1.0.1 (downloaded 193 times since July 26, 2019)
cron_parser: 0.1.4 (downloaded 2 times since July 8, 2019), 1.0.12 (downloaded 3 times since July 8, 2019), and 1.0.13 (downloaded 248 times since July 8, 2019)
coin_base: 4.2.1 (downloaded 206 times since July 9, 2019) and 4.2.2 (downloaded 218 times since July 16, 2019)
blockchain_wallet: 0.0.6 (downloaded 201 times since July 10, 2019) and 0.0.7 (downloaded 222 times since July 16, 2019)
awesome-bot: 1.18.0 (downloaded 232 times since July 15, 2019)
doge-coin: 1.0.2 (downloaded 213 times since July 17, 2019)
capistrano-colors: 0.5.5 (downloaded 175 times since August 1, 2019)

All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name.

The individual behind this scheme was active for more than a month, and their actions were not detected.

Things changed when the hacker managed to gain access to the RubyGems account of one of the rest-client developers, which he used to push four malicious versions of rest-client on RubyGems.

However, by targeting such a high-profile project that has over 113 million total downloads on RubyGems, the hacker also brought a lot of light to their operation, which was taken down within a few hours after users first spotted the malicious code in the rest-client library.

All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.

Projects that rely on these libraries in their dependency tree are advised to remove or upgrade/downgrade to a safe version.

Also of note is that the cookie-accepting & eval-running backdoor mechanism is eerily similar to a similar one previously discovered in two other projects, namely Bootstrap-Sass in April 2019, and strong_password in July 2019. However, no connection has been yet made between these three attempts to backdoor Ruby libraries.

What's in a name? These DevOps tools come with strange backstories

More vulnerability reports:

Editorial standards