Cybersecurity researchers are warning people of a new campaign called GemStuffer. This campaign targets the RubyGems repository, which contains over 150 gems, and uses the registry as a data exfiltration channel rather than malware distribution.
“The package does not appear to be designed to compromise large-scale developers,” Socket said. “Many have little or no download activity, and their payloads are repetitive, noisy, and unusually self-contained.”
“Instead, the script retrieves pages from UK local government democratic services portals, packages the collected responses into valid .gem archives, and publishes those gems to RubyGems using a hardcoded API key.”
The development comes after RubyGems temporarily disabled new account registrations following what was described as a large-scale malicious attack. It’s not clear whether the two activities are related, but the application security firm said GemStuffer falls into the “same pattern of exploitation” of using newly created packages with junk names to host scraped data.
Broadly speaking, the campaign exploits RubyGems as a place to stage scraped council content. This is done by taking the hard-coded UK Parliament Portal URL, packaging the HTTP response into valid .gem archives, and publishing those archives to RubyGems using embedded registry credentials.
In some cases, payloads embedded within gems create a temporary RubyGems credential environment under “/tmp”, override the HOME environment variant to build the gem locally, and push it to RubyGems using the Gem command-line interface (CLI), rather than relying on existing RubyGems credentials on the target machine.
Other variants of the malicious gem have been found to bypass the CLI component and upload archives directly to the RubyGems API via HTTP POST requests. Once a new gem is published, all an attacker needs to do is run a “gem fetch” command with the gem’s name and version to access the scraped data.
This novel scraping campaign was found to target the public-facing ModernGov portal used by Lambeth, Wandsworth and Southwark, with the aim of collecting committee meeting calendars, agenda lists, linked PDF documents, executive contact information, and RSS feed content. It’s not clear what exactly the end goal is, since the information appears to be publicly accessible anyway.
Socket assessed that the systematic bulk collection and archiving of this data may allow attackers to use “access to the Congressional Portal as a linchpin to prove their capabilities against government infrastructure.”
“It could be registry spam, a proof-of-concept worm, an automated scraper that exploits RubyGems as a storage layer, or a deliberate test of package registry abuse,” Socket said. “But the mechanics are intentional: repeated gem generation, version increments, hard-coded RubyGems credentials, direct registry pushes, and scraped data embedded within package archives.”
Source link
