Roblox devs under attack by new malicious npm campaign
Multiple malicious npm packages were spotted
Cybercriminals were, once again, spotted impersonating legitimate businesses, as they try to steal valuables from software developers. This time around, researchers from Checkmarx saw fake Roblox npm packages, whose true purpose is to deploy a remote access trojan (RAT) called Quasar.
Roblox is an online platform where users can create and play games made by other users, using a game creation system called Roblox Studio. It features a virtual currency called Robux for in-game purchases and has over 214 million monthly active users.
In this campaign, crooks were using typosquatting (giving malware a name similar to a legitimate file that developers could download and run by mistake), and deployed multiple packages to the npm repository, in hopes that someone will pick it up.
Quasar Remote Access Trojan
It’s an old strategy that worked well in the past, and seems to have worked well in this instance, too. According to the researchers, the four malicious packages that were identified, have had almost 200 downloads, combined, before being spotted and removed.
The noblox.js-async package had 74 downloads, noblox.js-thread 117 downloads, noblox.js-threads 64 downloads, and noblox.js-api 64 downloads.
“By mimicking the popular 'noblox.js' library, attackers have published dozens of packages designed to steal sensitive data and compromise systems," Checkmarx researchers said in a report.
"The attackers of this campaign have employed techniques including brandjacking, combosquatting, and starjacking to create a convincing illusion of legitimacy for their malicious packages."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
To further improve the perceived legitimacy of these packages, the crooks also listed the source repository as noblox.js.
Developers that don’t spot the ruse and download these packs will receive the Quasar Remote Access Trojan, which is hosted on a GitHub repository. At the same time, they will lose their Discord tokens, and have their Microsoft Defender Antivirus updated to not spot the malware.
"Central to the malware's effectiveness is its approach to persistence, leveraging the Windows Settings app to ensure sustained access," the researchers added. "As a result, whenever a user attempts to open the Windows Settings app, the system inadvertently executes the malware instead."
Via The Hacker News
More from TechRadar Pro
- Roblox devs and fans may have had their emails leaked on the dark web
- Here's a list of the best firewall software around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.