Evolving npm Package Campaign Targets Roblox Devs, for Years

Attackers for at least a year have been using malicious Node Package Manager (npm) packages that mimic the popular "noblox.js" library to target Roblox game developers with malware that steals Discord tokens and system data, and even deploys additional payloads.

The campaign, outlined by researchers at Checkmarx and active since at least August 2023, leverages a variety of tactics, including brandjacking, combosquatting, and starjacking, in an effort to make the packages appear legitimate. Once it gets its foothold on a targeted system, the malware collects various types of sensitive data that's sent in a package to the attacker's command-and-control server (C2) using a Discord webhook.

Roblox, a popular gaming and gaming-creation platform, has a user base of more than 70 million daily active users, and thus is an attractive target for threat actors. Researchers from ReversingLabs previously disclosed the npm package campaign targeting Roblox and delivering the Luna Grabber malware, and other firms have written about it as well.

The Checkmarx analysis sheds new light on how it's evolving with the use of various social engineering tactics to increase deception, as well as novel malicious activities, including the addition of the QuasarRAT to its list of secondary payloads, Yehuda Gelb, security researcher at Checkmarx, wrote in a post on the Medium platform. It delivers the secondary malware from an active GitHub repository owned by the user 'aspdasdksa2,' which is "potentially in use for distributing malware through other packages," he wrote.

Other malware delivered by the campaign has added a novel persistence mechanism that manipulates the Windows registry. This ensures execution every time a user opens the Windows Settings app, and "is central to the malware's effectiveness," Gelb noted.

What's more, attackers appear to be highly attentive to any mitigation of their malicious activities — something that is clearly evident given the duration of the campaign and the consistent flow of novel malicious packages. "Despite multiple package takedowns, new malicious packages continue to appear on the npm registry at the time of publication," Gelb wrote.

Social Engineering for Gaming Developer Deception

The campaign features elaborate social engineering that demonstrates that the attackers know their audience and aim to make the packages look as authentic and useful as possible to Roblox developers.

One typosquatting technique combines subsets of this tactic — brandjacking and combosquatting — to create "the illusion that their packages are either extensions of or closely related to the legitimate 'noblox.js' library" in the naming of the packages, Gelb wrote. These include file names such as noblox.js-async, noblox.js-thread, and noblox.js-api.

Attackers also use "starjacking," a tactic that threat actors use to inflate package stats so developers think packages are being downloaded more than they are and are thus trustworthy. In this case, the attackers linked malicious packages to the GitHub repository URL of the genuine 'noblox.js' package, Gelb said.

Further tactics employed in the campaign attempt to disguise the malware within the package itself by mimicking the structure of the legitimate "noblox.js" file, but then introduces malicious code in the postinstall.js file. "They heavily obfuscated this code, even including nonsensical Chinese characters to deter easy analysis," Gelb noted.

Disabling Windows Defender for Persistence

As the campaign evolves, attackers continue to up the ante to make it harder for defenders to detect and mitigate the malware it delivers. One such novel tactic "aggressively undermines the system's security measures" by targeting various services such as Malwarebytes and Windows Defender, Gelb wrote. It first targets the former and attempts to stop it if it's running, "followed by a more comprehensive attack on Windows Defender," he wrote.

"The script identifies all disk drives and adds them to Windows Defender's exclusion list," he explained. "This action effectively blinds Windows Defender to any file on the system."

Overall, its disabling of third-party antivirus and the manipulation of built-in Windows security creates an environment where the malware can operate freely, significantly increasing its potential for damage and persistence, Gelb noted.

Campaign Demands Developer Vigilance

Targeting developers through the open-source code assets that they rely on to develop software (or in this case, games) is an evolving strategy used by threat actors to broaden their attack surface. By poisoning code during the development process, they can spread malware to numerous users through the software supply chain without having to target specific systems individually.

Indeed, the ongoing attack on Roblox developers through persistently compromised NPM packages "serves as a stark reminder of the persistent threats facing the developer community" and demands that they use extreme caution when working with open source code packages, Gelb observed.

The campaign and others like it once again stresses the "critical importance of thoroughly vetting packages before incorporation into projects," he said. "Developers must remain vigilant, verifying the authenticity of packages, especially those resembling popular libraries, to protect themselves and their users from such sophisticated supply chain attack."