RubyGems and PyPI have both experienced attacks involving harmful packages that are designed to steal credentials and cryptocurrency

A recent investigation has revealed a new set of 60 malicious packages targeting the RubyGems ecosystem. These packages masquerade as harmless automation tools for social media, blogging, and messaging services, with the intent to steal user credentials and potentially resell them on dark web forums like Russian Market. The software supply chain security company Socket has assessed that this activity has been ongoing since at least March 2023, with the malicious gems collectively downloaded over 275,000 times. However, this figure may not accurately reflect the number of compromised systems, as not every download leads to execution, and multiple downloads could occur on a single machine. The threat actor, using aliases such as Zon, Nowon, Kwonsoonje, and Soonje, has published these gems, which include tools for platforms like Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver.

While these gems claim to provide functionalities like bulk posting and engagement, they also contain covert features designed to exfiltrate usernames and passwords to an external server controlled by the threat actor. Notably, some gems, such as Njongto_Duo and Jongmogtolon, target financial discussion platforms, marketed as tools to manipulate public perception by flooding investment-related forums with synthetic engagement. The servers receiving the stolen information include Programzon.com, Appspace.kr, and Marketingduo.co.kr, which are associated with bulk messaging and automated social media tools. The victims of this campaign are likely grey-hat marketers who utilise such tools for spam and search engine optimisation (SEO) campaigns. Each gem functions as a Windows-targeting infostealer, primarily aimed at South Korean users, as indicated by the Korean-language user interfaces and exfiltration to .kr domains. This campaign demonstrates a mature and persistent operation, embedding credential theft functionality within seemingly legitimate gems.

Akira and Lynx ransomware are targeting Managed Service Providers (MSPs) by exploiting stolen login credentials and existing vulnerabilities.

WhatsApp has removed 6.8 million accounts associated with harmful activities.

Leaked Credentials Increase by 160%: Exploits Utilized by Attackers

APT37 Cybercriminals Utilize JPEG Images to Target Windows Systems Exploiting “mspaint.exe”

Similar Posts