Homepage
About Snyk

Malicious Package Affecting pretty_color package, versions >=0.0.0

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-PRETTYCOLOR-1052070
  • published 17 Dec 2020
  • disclosed 17 Dec 2020
  • credit Sonatype
Report a new vulnerability Found a mistake?

Introduced: 17 Dec 2020

Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tab

How to fix?

Avoid using all malicious instances of the pretty_color package.

Overview

pretty_color is a malicious package. Within version.rb, obfuscated code can be found which, on Windows systems, generates and runs a malicious VBScript the_Score.vbs. This script will:

  1. Create (drop) another malicious VBScript at %PROGRAMDATA%\Microsoft Essentials\Software Essentials.vbs
  2. This new VBScript monitors the user’s clipboard every second for a Bitcoin address and replaces it with the attacker’s wallet address
  3. To achieve persistence, the_Score.vbs also adds the path of the newly dropped Software Essentials.vbs to the appropriate Windows registry key, to make the malware run every time the system boots.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High