Roblox developers have recently been targeted by a persistent campaign involving fake npm packages used to distribute malware. Attackers have been impersonating the popular ‘nobloxjs’ library to deliver malicious packages like nobloxjs-proxy-server and noblox-ts, which contain the Luna Token Grabber and Quasar RAT malware.

Description

These attackers utilized typosquatting techniques to upload the malicious packages to the npm repository, resulting in nearly 200 downloads before their removal. To make their packages seem legitimate, the attackers employed tactics such as brandjacking and combosquatting. The Quasar RAT [1] [2] [3] [4] [5] [6] [7], hosted on a GitHub repository [3] [7], is designed to exploit the Windows Settings app to gain persistent access to systems, allowing for remote control of infected systems [4] [6] [7]. Stolen information is then sent to the attacker’s command-and-control server through a Discord webhook. The attackers also used starjacking techniques to create a convincing facade of legitimacy for their malicious packages, such as nobloxjs-async, nobloxjs-thread [7], nobloxjs-threads [7], and nobloxjs-api [4] [6] [7], which mimic the popular Nodejs library to deceive unsuspecting developers [7]. These packages act as gateways for additional payloads hosted on a GitHub repository [7], stealing Discord tokens [6] [7], updating Microsoft Defender Antivirus exclusion lists [6] [7], and establishing persistence through changes in the Windows registry [7]. The ultimate goal of the attack chain is to deploy Quasar RAT [7], enabling remote control over the infected system and exfiltrating information to the attacker’s command-and-control server via a Discord webhook [4] [7]. Despite efforts to remove these packages [7], new ones continue to be published [6] [7], underscoring the ongoing threat that developers must remain vigilant against [7]. This campaign, discovered in August 2023 [2], mirrors a similar attack from October 2021 involving the Luna Token Grabber stealer [2]. Two additional malicious packages [1] [2] [5], nobloxjs-proxy-server and noblox-ts [1] [2] [4] [5] [6], have been identified [1] [2] [4], delivering stealer malware and the Quasar RAT remote access trojan [2] [5].

Conclusion

The targeting of Roblox developers with fake npm packages containing malware highlights the importance of remaining vigilant against such threats. Efforts to remove these malicious packages must continue [7], and developers should take steps to protect their systems and information. The ongoing nature of this campaign underscores the need for heightened cybersecurity measures and awareness within the developer community.

References

[1] https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/paquetes-npm-maliciosos-que-suplantan-noblox-js-estan-comprometiendo-los-sistemas-de-los-desarrolladores-de-roblox/
[2] https://zaman.co.at/en/vr/new-wave-of-attacks-target-roblox-developers/1070419/
[3] https://www.techradar.com/pro/security/roblox-devs-under-attack-by-new-malicious-npm-campaign
[4] https://thehackernews.com/2024/09/malicious-npm-packages-mimicking.html
[5] https://vulners.com/thn/THN:F9FDB5D9C95FCE690F9558396F5C6090
[6] https://patabook.com/technology/2024/09/02/malicious-npm-packages-mimicking-noblox-js-compromise-roblox-developers-systems/
[7] https://www.techidee.nl/kwaadaardige-npm-pakketten-die-noblox-js-nabootsen-brengen-systemen-van-roblox-ontwikkelaars-in-gevaar/13612/