This article is more than 1 year old
NPM packages disguised as Roblox API code caught carrying ransomware
Subverted libraries likely intended as a prank but should be taken seriously, say security researchers
Yet another NPM library has turned up infected with malware. Security firm Sonatype on Wednesday said it had spotted two related malicious NPM libraries that were named so they might be mistaken for a popular legitimate module that serves as a Roblox API wrapper.
The two poisoned libraries –
noblox.js -proxies – were typosquatting (named to be confusingly similar to)
noblox.js, a Roblox game API wrapper available on NPM and as a standalone download. Roblox is a gaming platform with more than 40 million daily active users.
It was only last week that the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory about another compromised NPM library,
ua-parser.js. And only a few days earlier, Sonatype spotted three more NPM libraries packed with cryptomining code.
Attacks on the software supply chain, particularly efforts to target popular code registries like NPM, PyPI, and RubyGems, have unfortunately become commonplace.
noblox.js is downloaded about 22,000 times a month from NPM and, according to Sonatype, has been downloaded more than 700,000 times. That kind of volume increases the odds that some developer will mistake a malicious variant for the real thing.
Sonatype spotted the villainous modules on October 20th and 26th, before much damage could be done. GitHub, which now operates NPM, is said to have removed the bad code within an hour of Sonatype's report.
"Since we discovered the two typosquats so quickly, they both had minimal impact with
noblox.js-proxy seeing 281 total downloads and
noblox.js-proxies seeing 106 total downloads, but it’s clear what type of scale the threat actors were hoping for going after such a popular component," said Juan Aguirre, a security researcher at Sonatype in a blog post.
Seemingly a new frontier for ransomware
But Aguirre observes that the malicious libraries contained trojans and ransomware, the latter of which hasn't been seen before in package registry subversion attempts.
The lookalike libraries copied the appearance of the noblox.js GitHub repo, but they included a postinstall script that contained a suspiciously obfuscated function.
The referenced Windows Batch file proved to be deliberately obscured through various encoding techniques, but Aguirre ultimately was able to determine that the Batch script initially tries bypassing Windows User Account Control with a Windows binary called
fodhelper. It subsequently uses Powershell download "cradles" – a single line command for downloading code and running it – to fetch various malicious executables.
The files –
tunamor.exe – were gathered from Discord's CDN server, which has become a popular malware distribution mechanism.
exclude.bat, tries to disable antivirus programs. The second,
legion.exe, tries to drop various files for stealing Discord tokens and stored browser and system credentials.
000.exe, drops nuisance executables and a video that's supposed to be ominous. And the fourth,
tunamor.exe, shows up in VirusTotal as a Remote Access Trojan, or RAT, that appears to be related to TAIDOOR.
"Taking a look at the executable itself, we can see this isn't just a RAT, this is ransomware and it's likely our bad actors are after a payday," said Aguirre.
Or maybe a belated Halloween prank
However, Aguirre sees the textual hints in the code and the moody video as a sign that this incident is more likely to be a prank attack than a serious operation.
And his colleague, Ax Sharma, a senior security researcher and advocate at Sonatype, said much the same in an email to The Register.
"While the trojans and ransomware within this package are fully functional, we have reason to believe this is a prank more than an actual, profitable operation for them – the presence of a 'spooky' video and what appears to be MBRLocker ransomware are big indicators," said Sharma.
"The bigger implication to keep in mind is that threat actors can infiltrate open source ecosystems through near-miss typosquats or dependency confusion hijacks and use it to distribute ransomware, which is what’s novel about this particular effort. This is the first time we’ve seen ransomware distributed as part of a malicious attack on an open source ecosystem."
- If you're using this hijacked NPM library anywhere in your software stack, read this
- GitHub's npm gave away a package name while it was in use, causing rethink
- About half of Python libraries in PyPI may have security issues, boffins say
Asked why NPM failed to catch these bad packages when they were created, Sharma said it's a consequence of open source ecosystems and registries needing to maintain low barriers to entry so anyone in the community has an easy way to contribute.
"The downside to this, however, means keeping malware out of registries can be a challenge," said Sharma. "Further complicating the matter is a gray area where security researchers will post proof-of-concept test packages as a part of research or bug bounty activities. What is seen as an effort to be more open, unfortunately means many open source registries don’t have strict security validations that could keep malicious typosquats and packages out."
Sharma said the lack of strict namespacing in repositories like NPM, PyPI, and RubyGems exacerbates the problem.
"Strict namespacing is deeply enforced in repositories like Sonatype’s Maven Central and GoLang’s pkg.go.dev," explained Sharma.
"For example, a threat actor could not just publish a malicious package to Maven Central under the
org.apache namespace that could be mistaken for an official Apache package – they would have to first prove they own the
apache.org domain. This is one of the deterrents we have in place to minimize the possibility of and impact from any malicious code uploads." ®