One day after they were uploaded, RubyGems discovered and removed two malicious packages that had been designed to steal cryptocurrency from unsuspecting users by installing a clipboard hijacker, reports Bleeping Computer, citing research by open-source security firm Sonatype. Fortunately, while the packages were downloaded a total of 142 times, “At this time, none of the cryptocurrency addresses have received any funds.” These packages were masquerading as a bitcoin library and a library for displaying strings with different color effects. A clipboard hijacker monitored the Windows clipboard for cryptocurrency addresses, and if one is detected, replaces it with an address under the attacker’s control. Unless a user double-checks the address after they paste it, the sent coins will go to the attacker’s cryptocurrency address instead of the intended recipient… The base64 encoded string is a VBS file that is executed to create another malicious VBS file and configure it to start automatically when a user logs into Windows. This VBS script is the clipboard hijacker and is stored at C:\ProgramData\Microsoft Essentials\Software Essentials.vbs to impersonate the old Microsoft Security Essentials security software. The clipboard hijacking script monitors the Windows clipboard every second and check if it contains a Bitcoin address, an Ethereum address, or a raw Monero address.
Read more of this story at Slashdot.
Source:
https://news.slashdot.org/story/20/12/20/0019241/rubygems-catches-two-packages-trying-to-steal-cryptocurrency-with-clipboard-hijacking?utm_source=rss1.0mainlinkanon&utm_medium=feed