• Posted by: Eng. Donya Bino
• September 02, 2024

Malicious npm Packages Target Roblox Developers to Spread Quasar RAT

Roblox developers are facing a persistent cyber threat aimed at compromising systems through fake npm packages. Cybersecurity firm Checkmarx has reported that these packages mimic the popular "noblox.js" library, exploiting trust in the open-source ecosystem to spread malware and steal sensitive information.

The Campaign's Methods and History

The malicious activity was initially highlighted by ReversingLabs in August 2023, linking it to a campaign dating back to October 2021, which utilized a stealer called Luna Token Grabber. Since the beginning of this year, malicious packages such as noblox.js-proxy-server and noblox-ts have been identified. These packages impersonate the genuine Node.js library "noblox.js" to deliver stealer malware and the Quasar Remote Access Trojan (RAT).

Techniques Employed by the Attackers

According to Yehuda Gelb from Checkmarx, attackers use sophisticated tactics, including:

• Brandjacking: Using names closely resembling popular libraries to deceive developers.
• Combosquatting: Registering domain names or packages that are slight variations of legitimate ones.
• Starjacking: Misleading users by listing the source repository as the actual noblox.js library to give a false sense of legitimacy.

Some of the fake package names used in this campaign include:

• noblox.js-async (74 downloads)
• noblox.js-thread (117 downloads)
• noblox.js-threads (64 downloads)
• noblox.js-api (64 downloads)

Malicious Behavior and Payloads

The latest versions of these malicious packages function as conduits to serve additional payloads from GitHub repositories. They are designed to steal Discord tokens, manipulate Microsoft Defender Antivirus exclusion lists to evade detection, and establish persistence via modifications to the Windows Registry.

A key aspect of the malware's persistence strategy involves exploiting the Windows Settings app. By altering system behavior, the malware ensures that attempts to open the Settings app inadvertently execute the malicious code, granting sustained access to the attacker.

Quasar RAT Deployment and Data Exfiltration

The ultimate goal of these attacks is to deploy Quasar RAT, enabling remote control of infected systems. Harvested data, including sensitive information, is exfiltrated to the attacker's command-and-control (C2) server through a Discord webhook.

Ongoing Threat and Developer Vigilance

Despite takedown efforts, new malicious packages continue to emerge, underscoring the need for developers to remain vigilant. As cyber threats targeting open-source ecosystems become increasingly sophisticated, it is crucial for developers to verify the authenticity of packages, use reliable security tools, and stay informed about emerging threats.

This campaign against Roblox developers highlights the evolving tactics of threat actors, exploiting the trust inherent in open-source software to infiltrate systems and steal data. By understanding these tactics and maintaining a proactive security posture, developers can better defend against these persistent threats.