Backdoor code found in 11 Ruby libraries

Posted on Sep 8, 2019

Backdoor code found in 11 Ruby libraries

Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people’s Ruby projects. The malicious code was first discovered yesterday inside four versions of rest-client, an extremely popular Ruby library. According to an analysis by Jan Dintel, a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine.

The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands. A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code. RubyGems staff also uncovered similar code in 10 other projects: All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name.

The individual behind this scheme was active for more than a month, and their actions were not detected.