Looks like they had a neat attack vector but their ultimate end goal didn’t have a wide enough net.
After stealing windows users clipboard contents: “the threat actor is trying to redirect all potential cryptocurrency transactions to their wallet address. At the time of writing this blog, seemingly no transactions were made for this wallet.”
The target was Ruby developers who use Windows and Bitcoin. I didn't get the sense that common libraries are infected - more that there are hundreds of libraries that are typosquatting. It would be interesting to find out if any of these libs ended up as dependencies.
Love the TacoBell.check_win.
The most successful attack was a change of an underbar (atlas_client) to a dash (atlas-client). Seems good to standardize these kind of non-alphanumeric characters in library names. Still, seems like open source web stores like this might need some level of human moderation?
> The script itself is rather simple. First, it creates a new VBScript Sle with the main malicious loop at the “%PROGRAMDATA%\Microsoft Essentials\Software Essentials.vbs” path. As its persistence mechanism, it then creates a new autorun registry key “HCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Software Essentials.” With this, the malware ensures that it is run every time the system is started or rebooted.
Good to see that the methods from 15 years ago are still valid.
These attacks will become more common. I'm advocating to add a dependency firewall to GitLab so that downloads of packages that show suspicious behaviour will be paused. I've added some of the vectors of this attack to the signals to watch for with https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_request...
I've published a couple gems that I'm pretty sure no one uses, and after a few months the downloads was in the hundreds, probably bots and mirrors. Most likely the figure only makes when seen relative to other gems.
Anybody who doesn't use a dev VM these days is asking for trouble. It's too easy for attackers to run malicious code on your machine with techniques like this.
That's part of the reason I feel uncomfortable with "modern" package systems like golang's. I really want to use golang more, but I just don't feel 'secure' about building a bunch of packages pulled off of github by URL.
Third-party package management is not a modern marvel by any means. You are unnecessarily singling out golang, and if you let that stop you from learning it's your loss. Just be smart. Dependency awareness is not black magic.
odd golang has a better security story than npm, rubygems, and python. it'll at least crypto ensures the dependency code hasnt been modified since you first retrieved it iirc.
the rest is up to you as a developer to ensure its safe.
Hmmm, that depends on the virtualisation solution being used.
If someone's using (say) VMware Workstation or Fusion, if they've loaded the VMware tools into the VM it can share the clipboard and be configured with access to the hosts filesystem (at defined points).
After stealing windows users clipboard contents: “the threat actor is trying to redirect all potential cryptocurrency transactions to their wallet address. At the time of writing this blog, seemingly no transactions were made for this wallet.”