skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Five Malicious npm Packages Target Roblox Developers Identified

Five Malicious npm Packages Target Roblox Developers Identified

/ 4 min read

Quick take - Researchers have discovered five malicious npm packages targeting Roblox developers, designed to mimic legitimate tools and deploy malware that steals sensitive information from infected systems.

Fast Facts

  • Five malicious npm packages targeting Roblox developers were identified, including autoadv, ro.dll, and two versions of rolimons-api, designed to mimic legitimate modules.
  • The packages contained obfuscated code that downloaded and executed Skuld infostealer and Blank Grabber malware, compromising sensitive user data.
  • Roblox has a large user base of 79.5 million daily active users, with a significant developer community of 2.6 million contributors, making it a prime target for cybercriminals.
  • Attackers used typosquatting to release counterfeit packages, and the malware employed techniques to evade security measures like User Account Control and Windows Defender.
  • Developers are advised to verify package names and use security tools to protect against these persistent threats, with specific indicators of compromise provided for identification.

Researchers Identify Malicious npm Packages Targeting Roblox Developers

Researchers have identified five malicious npm packages targeting developers within the popular gaming platform Roblox. The packages, named autoadv, ro.dll, node-dlls, and two versions of rolimons-api (1.1.0 and 1.1.2), were designed to resemble legitimate modules frequently used by the Roblox developer community.

Roblox’s User Base and Developer Community

As of the second quarter of 2024, Roblox boasts 79.5 million daily active users, with approximately 58% of users aged 13 or older. This user base is supported by a robust developer community of 2.6 million contributors. The popularity of Roblox has made it an appealing target for cybercriminals seeking to steal sensitive information or gain unauthorized access to user accounts.

Techniques and Malware Involved

The threat actor employed a technique known as typosquatting to release a counterfeit version of the well-known node-dll package, which has amassed over 35,800 downloads. The malicious rolimons-api packages were crafted to imitate Rolimon’s API Module, a widely used tool for integrating Rolimon’s data into Roblox games or applications.

In addition to the malicious npm packages, unauthorized wrappers and modules related to Rolimon have surfaced, including the Rolimons Lua module on GitHub and a Rolimons Python package that has over 17,000 downloads. The malicious packages contained obfuscated code designed to download and execute Skuld infostealer and Blank Grabber malware on infected systems.

Skuld infostealer is a Go-written malware targeting applications such as Discord, Chromium-based browsers, Firefox, and cryptocurrency wallets, aiming to extract sensitive data. Blank Grabber, a Python-based malware, operates similarly by collecting sensitive information from compromised Windows computers. Notably, the malware features a user-friendly graphical user interface (GUI) that allows threat actors to modify its behavior, enabling evasion of User Account Control (UAC) prompts and disabling Windows Defender. Stolen data is transmitted to the threat actor via Telegram or Discord webhooks.

Recommendations for Developers

The malicious npm packages utilized obfuscated JavaScript code to facilitate the downloading and execution of harmful executables from external sources. A specific function named downloadAndRun was implemented to streamline this process, utilizing PowerShell instructions to execute arbitrary code on the victim’s computer without raising immediate suspicion. This method effectively created a backdoor into the victim’s system, allowing the deployment of Skuld infostealer and Blank Grabber malware. The theft of private information, including bank data, credentials, and personal files, was initiated through this backdoor.

This incident follows a similar exploit reported by Socket in early 2024, which involved a malicious package masquerading as the official noblox.js and noblox.js-server packages. Researchers emphasize that the recurrence of these attacks underscores a persistent threat landscape. Attackers are capitalizing on the popularity of Roblox and developers’ reliance on open-source code. Developers are urged to remain vigilant by double-checking package names, scrutinizing third-party code, and utilizing security tools to identify potentially harmful packages.

Indicators of Compromise (IOCs)

Indicators of compromise (IOCs) linked to this attack include the malicious packages:

Malicious URLs associated with the attack include:

  • hxxps://github[.]com/zvydev/code/raw/main/RobloxPlayerLauncher.exe
  • hxxps://github[.]com/zvydev/code/raw/main/cmd.exe
  • hxxps://github[.]com/zvydev/code

Additionally, a Discord webhook utilized by the threat actor has been identified as:

  • hxxps://discord[.]com/api/webhooks/1298438839865577564/LcdRm0rKPE01ApFPl9RQHGqhcuExeiqKGpghrB8Lv3iKniiyEa0mVBhFySte_oBx7wyQ.

Original Source: Read the Full Article Here

Check out what's latest