The two gems, pretty-color and ruby-bitcoin, contained Windows machine-targeting malware that was intended to replace any clipboard cryptocurrency wallet address with an attacker-supplied one. By replacing the addresses of the crypto-wallet, the malware helps the attackers hijack transactions and steal funds from the victim. When investigating the two jewels, Sonatype, a software development and security company, found that pretty-color had valid colourize files, a trustworthy open source portion, which made it more difficult to detect. “In fact, pretty-color is an identical replica of the package and has all its code, including a fully descriptive README,” says Sonatype. A file named version.rb was included in the gem that poses as version metadata but contains obfuscated code to run a malicious script on Windows computers. A reference to ReversingLabs threat researcher Tomislav Maljic, who previously detected more than 700 RubyGems typosquatting intended to mine on compromised machines for Bitcoin, was also included in the code. The ruby-bitcoin gem, explained by security researchers from Sonatype, only includes the malicious code from pretty color present in the version.rb file. On GitHub, under an unrelated account, a plain-text variant of the malicious script used in these gems was found, suggesting a possible link to WannaCry. There’s no hard evidence, however, linking the code to the operation of WannaCry. “Of all the activities a ransomware group can perform on a compromised system, replacing the Bitcoin wallet address on the clipboard feels more like an amateur threat actor’s trivial mischief than a sophisticated ransomware operation,” notes Sonatype.
