NPM packages disguised as Roblox API code caught carrying ransomware

Subverted libraries likely intended as a prank but should be taken seriously, say security researchers


Yet another NPM library has turned up infected with malware. Security firm Sonatype on Wednesday said it had spotted two related malicious NPM libraries that were named so they might be mistaken for a popular legitimate module that serves as a Roblox API wrapper.

The two poisoned libraries – ​​noblox.js-proxy and noblox.js -proxies – were typosquatting (named to be confusingly similar to) noblox.js, a Roblox game API wrapper available on NPM and as a standalone download. Roblox is a gaming platform with more than 40 million daily active users.

It was only last week that the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory about another compromised NPM library, ua-parser.js. And only a few days earlier, Sonatype spotted three more NPM libraries packed with cryptomining code.

Attacks on the software supply chain, particularly efforts to target popular code registries like NPM, PyPI, and RubyGems, have unfortunately become commonplace.

The legitimate noblox.js is downloaded about 22,000 times a month from NPM and, according to Sonatype, has been downloaded more than 700,000 times. That kind of volume increases the odds that some developer will mistake a malicious variant for the real thing.

Sonatype spotted the villainous modules on October 20th and 26th, before much damage could be done. GitHub, which now operates NPM, is said to have removed the bad code within an hour of Sonatype's report.

"Since we discovered the two typosquats so quickly, they both had minimal impact with noblox.js-proxy seeing 281 total downloads and noblox.js-proxies seeing 106 total downloads, but it’s clear what type of scale the threat actors were hoping for going after such a popular component," said Juan Aguirre, a security researcher at Sonatype in a blog post.

Seemingly a new frontier for ransomware

But Aguirre observes that the malicious libraries contained trojans and ransomware, the latter of which hasn't been seen before in package registry subversion attempts.

The lookalike libraries copied the appearance of the noblox.js GitHub repo, but they included a postinstall script that contained a suspiciously obfuscated function.

The referenced Windows Batch file proved to be deliberately obscured through various encoding techniques, but Aguirre ultimately was able to determine that the Batch script initially tries bypassing Windows User Account Control with a Windows binary called fodhelper. It subsequently uses Powershell download "cradles" – a single line command for downloading code and running it – to fetch various malicious executables.

The files – exclude.bat, legion.exe, 000.exe, and tunamor.exe – were gathered from Discord's CDN server, which has become a popular malware distribution mechanism.

The first, exclude.bat, tries to disable antivirus programs. The second, legion.exe, tries to drop various files for stealing Discord tokens and stored browser and system credentials.

The third, 000.exe, drops nuisance executables and a video that's supposed to be ominous. And the fourth, tunamor.exe, shows up in VirusTotal as a Remote Access Trojan, or RAT, that appears to be related to TAIDOOR.

"Taking a look at the executable itself, we can see this isn't just a RAT, this is ransomware and it's likely our bad actors are after a payday," said Aguirre.

Or maybe a belated Halloween prank

However, Aguirre sees the textual hints in the code and the moody video as a sign that this incident is more likely to be a prank attack than a serious operation.

And his colleague, Ax Sharma, a senior security researcher and advocate at Sonatype, said much the same in an email to The Register.

"While the trojans and ransomware within this package are fully functional, we have reason to believe this is a prank more than an actual, profitable operation for them – the presence of a 'spooky' video and what appears to be MBRLocker ransomware are big indicators," said Sharma.

"The bigger implication to keep in mind is that threat actors can infiltrate open source ecosystems through near-miss typosquats or dependency confusion hijacks and use it to distribute ransomware, which is what’s novel about this particular effort. This is the first time we’ve seen ransomware distributed as part of a malicious attack on an open source ecosystem."

Asked why NPM failed to catch these bad packages when they were created, Sharma said it's a consequence of open source ecosystems and registries needing to maintain low barriers to entry so anyone in the community has an easy way to contribute.

"The downside to this, however, means keeping malware out of registries can be a challenge," said Sharma. "Further complicating the matter is a gray area where security researchers will post proof-of-concept test packages as a part of research or bug bounty activities. What is seen as an effort to be more open, unfortunately means many open source registries don’t have strict security validations that could keep malicious typosquats and packages out."

Sharma said the lack of strict namespacing in repositories like NPM, PyPI, and RubyGems exacerbates the problem.

"Strict namespacing is deeply enforced in repositories like Sonatype’s Maven Central and GoLang’s pkg.go.dev," explained Sharma.

"For example, a threat actor could not just publish a malicious package to Maven Central under the org.apache namespace that could be mistaken for an official Apache package – they would have to first prove they own the apache.org domain. This is one of the deterrents we have in place to minimize the possibility of and impact from any malicious code uploads." ®

Similar topics


Other stories you might like

  • India reveals home-grown server that won't worry the leading edge

    And a National Blockchain Strategy that calls for gov to host BaaS

    India's government has revealed a home-grown server design that is unlikely to threaten the pacesetters of high tech, but (it hopes) will attract domestic buyers and manufacturers and help to kickstart the nation's hardware industry.

    The "Rudra" design is a two-socket server that can run Intel's Cascade Lake Xeons. The machines are offered in 1U or 2U form factors, each at half-width. A pair of GPUs can be equipped, as can DDR4 RAM.

    Cascade Lake emerged in 2019 and has since been superseded by the Ice Lake architecture launched in April 2021. Indian authorities know Rudra is off the pace, and said a new design capable of supporting four GPUs is already in the works with a reveal planned for June 2022.

    Continue reading
  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading

Biting the hand that feeds IT © 1998–2021