Roblox developers find themselves under a relentless onslaught, targeted by a devious scheme designed to infiltrate their systems through fraudulent npm packages. This situation highlights a recurring theme where adversaries exploit the trust inherent in the open-source environment to propagate malware.
“Imitating the widely-used ‘noblox.js’ library, the perpetrators have released numerous packages aimed at pilfering sensitive data and compromising systems,” revealed Checkmarx researcher Yehuda Gelb in a detailed technical report.
Initial revelations of this nefarious activity emerged in August 2023, courtesy of ReversingLabs, which identified a campaign distributing a stealer known as Luna Token Grabber. This incident was described as a “replay of an assault uncovered two years prior,” in October 2021.
Since the beginning of the year, two additional packages—noblox.js-proxy-server and noblox-ts—have been flagged as malicious. These packages mimic the popular Node.js library to disseminate stealer malware and a remote access trojan named Quasar RAT.
“The assailants have utilized various techniques such as brandjacking, combosquatting, and starjacking to craft a facade of authenticity for their malevolent packages,” Gelb noted.
To bolster their illusion of legitimacy, these packages are disguised with names like noblox.js-async, noblox.js-thread, noblox.js-threads, and noblox.js-api, misleading unsuspecting developers into believing these libraries are associated with the genuine “noblox.js” package.
The download statistics for these packages are as follows:
- noblox.js-async (74 downloads)
- noblox.js-thread (117 downloads)
- noblox.js-threads (64 downloads)
- noblox.js-api (64 downloads)
Another deceptive technique employed is starjacking, where the fraudulent packages list the source repository as that of the genuine noblox.js library, enhancing their perceived credibility.
The malevolent code within these recent iterations functions as a conduit for delivering additional payloads hosted on a GitHub repository. Simultaneously, it pilfers Discord tokens, updates the Microsoft Defender Antivirus exclusion list to avoid detection, and establishes persistence through alterations to the Windows Registry.
“Crucial to the malware’s effectiveness is its persistence strategy, utilizing the Windows Settings app to guarantee ongoing access,” Gelb observed. “Consequently, whenever a user tries to open the Windows Settings app, the malware is inadvertently executed.”
The ultimate objective of this attack chain is to deploy the Quasar RAT, granting the attacker remote control over the compromised system. The gathered data is then exfiltrated to the attacker’s command-and-control (C2) server via a Discord webhook.
These findings underscore that a continuous influx of new packages persists despite ongoing takedown efforts, emphasizing the need for developers to remain vigilant against this persistent threat.