Roblox Game Devs Duped by Malicious npm Packages
Plus, How Malware Apps Are Using Sneaky APK Compression to Infect Users
Fake “noblox.js” Packages Infect Roblox Devs’ Systems
Since the start of August 2023, over a dozen malicious packages targeting Roblox developers have been identified on the npm package repository. These packages are equipped with the ability to deploy an open-source information-stealing tool called Luna Token Grabber on the systems of their victims. ReversingLabs first discovered this ongoing campaign on August 1. The attackers employed modules that masquerade as the genuine "noblox.js" package, which is an API wrapper used for scripting interactions with the Roblox gaming platform. This campaign echoes a similar attack from two years prior.
These malicious packages mimic the code of the legitimate "noblox.js" package but include harmful functions that steal information. The packages were collectively downloaded 963 times before they were removed. The rogue packages include names like "noblox.js-vps," "noblox.js-ssh," and "noblox.js-secure," and they were distributed across specific version ranges.
One unique aspect of this attack is its use of an executable to deliver the Luna Token Grabber. This campaign is one of the few instances of a multi-stage infection sequence found on npm. The attackers employed sophisticated techniques to hide their malicious functionality, including placing it in a separate file named "postinstall.js" to avoid detection. Legitimate packages also use a file with the same name to display information to users.
Interestingly, the threat actor responsible for this npm campaign chose to gather system information using a configurable builder provided by the authors of Luna Token Grabber, rather than directly deploying the information-stealing capabilities. This echoes a trend of malicious actors exploiting typosquatting to deceive developers into downloading harmful code under the guise of legitimate packages, as highlighted by Lucija Valentić, a software threat researcher. Notably, Luna Token Grabber had been previously identified, demonstrating its persistence in the wild.
Malware Apps Use Unknown Compression Techniques to Evade Detection
Cybersecurity firm Zimperium has identified a new evasion tactic employed by threat actors using Android Package (APK) files. Around 3,300 artifacts utilizing unknown or unsupported compression methods have been found in the wild, with 71 samples capable of being loaded onto operating systems unhindered. These APKs, which were never available on the Google Play Store, utilize a technique that prevents easy decompilation and analysis. By using unsupported decompression methods within the APK (ZIP file) structure, they make it challenging for various tools to analyze them effectively. This approach allows the malware to avoid decompilation while still being installable on Android devices above version 9 Pie. Zimperium's analysis was sparked by a June 2023 tweet discussing an APK exhibiting similar behavior. Furthermore, the firm discovered that malicious actors are intentionally corrupting APK files by employing excessively long filenames and malformed AndroidManifest.xml files, causing analysis tools to crash. This revelation comes shortly after Google highlighted threat actors using versioning techniques to bypass malware detection on the Play Store and target Android users.
Roku - Senior Site Reliability Engineer (SRE) - Cardiff, United Kingdom
VERISIGN - Mid level Software Engineer - Villars-sur-Glâne,Fribourg,Switzerland · Hybrid
Okta - Senior Software Engineer - Poland
Discord - Senior Software Engineer - Detection Infrastructure, Safety - Hybrid
Finder - Software Engineer (Internship) - Hybrid
Stripe - Software Engineering Intern - Dublin · Hybrid
JPMorgan Chase - 2024 - Data Science Analyst Program - Internship - Chicago
Akuna Capital - Software Engineer Intern - Data Engineering, Summer 2024 - Chicago
Thanks for reading Cyber Oracle! Subscribe for free to receive new posts and support my work.