ReversingLabs researchers have identified more than a dozen malicious packages on the npm public repository since the beginning of August, including multi-stage malicious packages that placed Luna Grabber, open source information stealing malware, on infected systems. In a replay of an attack uncovered two years ago, the malicious packages imitated the legitimate package noblox.js, a Node.js Roblox API wrapper used to write scripts that interact with the Roblox gaming platform.
This malicious campaign started at the beginning of August, with the first malicious package of interest first published on August 1. At the time of publishing this report, the campaign is ongoing. ReversingLabs researchers have, in recent days, identified additional malicious packages: noblox.js-ssh and noblox.js-secure. The package noblox.js-ssh has since been reported to the npm maintainers. The noblox.js-secure has subsequently been removed from npm, likely by the author.
Roblox developers targeted
The intended targets of this campaign are developers who write scripts to run on the Roblox gaming platform. The actual noblox.js package is an open-source Roblox API wrapper that enables gamers to use Javascript to create useful scripts to interact with the Roblox website, for example by “promot(ing) users, shout events, and so on, or to create Discord utiltiies (sic) to manage their community.”
The malicious packages ReversingLabs discovered reproduce code from the legitimate noblox.js package, but add malicious, information stealing functions.
Similarities to 2021 campaign
This is not the first time malicious actors have targeted users of noblox.js. Two years ago, Sonatype uncovered a campaign that distributed malicious npm packages that also typo-squatted on the noblox.js package. The malicious packages found by Sonatype researchers also reproduced code from the legitimate package, but included a malicious post-installation script. Once the package was installed, that malicious script was executed, delivering ransomware to the unsuspecting developers. That campaign attracted media attention, including from The Register.
The broad outlines of the current campaign are similar to the one Sonatype discovered. However, the malicious payload in the campaign discovered by ReversingLabs is different. A PyInstaller-compiled executable that delivers Luna Grabber, open source malware designed to steal information from the user's local web browser, Discord application, and more.
This type of multi-stage malware is common for ReversingLabs researchers to find on public repositories. There are multi-stage malicious packages found regularly on PyPI, which range from sophisticated to more “script-kiddie”-like packages. It is less common to find multi-stage malicious packages like this on npm, however.
Researchers first stumbled on this campaign during routine monitoring of npm public repository and scanning suspicious packages with the ReversingLabs Software Supply Chain Security platform. The malicious package noblox.js-vps was the first to catch our attention because its name was clearly typo-squatting on the noblox.js package and trying to pass itself off as a legitimate package.
Upon further inspection, the package displayed a number of suspicious behaviors, as indicated in the table below. Those included executing commands in the command line, enumerating user and file information from the local host and adding a function to listen for a specific event, among others. As we have noted before, malicious packages on public, open source repositories often contain "red flag" features such as these that warrant further inspection before the package is downloaded and used.
Figure 1: noblox.js-vps’s behavior indicators
A post-install switcheroo
With malicious software supply chain campaigns, the difference between sophisticated and unsophisticated attacks often comes down to the level of effort the malicious actors make to disguise their attack and make their malicious packages look legitimate.
In the case of noblox-js-vps, the malicious actor expended considerable effort to make their package look trustworthy in order to fool would-be Roblox developers. As noted above: the code found inside the package belonged to the legitimate noblox.js package it was mimicking. That attackers also made the effort to design an npm page for noblox-js-vps and other malicious packages in the campaign that appear legitimate. The noblox.js-vps package was removed from npm shortly after our discovery. However, a screenshot of the similar npm page of another malicious package in the campaign is shown in Figure 2.
Figure 2: noblox.js-ssh’s npm page. Attackers made the package website look legitimate.
The only difference between a legitimate package and a malicious one was that a malicious payload was put inside a separate file, postinstall.js, that is called after installation of the main npm package is complete.
This was a clever move on the malicious actors' part. That's because the original noblox.js package also contains a postinstall.js script that displays a thank-you, and some useful information to the users who installed it. The malicious version, on the other hand, checks to see if the package was installed on a Windows machine, and if positive, it downloads a second stage malicious script from Discord CDN and runs it. If not, the user is presented with an error message.
A close examination of this file showed the gradual evolution of the malicious noblox-js-vps package. For example, the very first version of the package, 4.14.0, contained a postinstall.js script that was a work in progress, without any malicious code inside.
The next version of the package, 4.15.0, saw the postinstall.js file checking to see if the package was installed on a Windows machine, and then harvesting the Windows username to the provided Discord webhook if it was.
All subsequent versions of the file downloaded the second-stage malicious script from the Discord CDN. Also, while the first few versions of the noblox.js-vps package made no effort to obfuscate the content of the postinstall.js script, subsequent versions obfuscated parts of the postinstall.js script.
Figure 3: a malicious script, postinstall.js, was found inside noblox.js-vps
Luna Grabber: plug 'n play malware
Looking at the second-stage script that was downloaded, we observed that while each iteration of the script a bit different from the version before it, all of the second stage scripts we observed downloaded the same third-stage executable payload that was later run.
Unfortunately, fetching the third-stage from the second-stage payload script connected with noblox.js-vps version 4.23.0 failed. As a result, we cannot confirm that it was the same executable fetched by the second-stage scripts used by other packages in the campaign. However, since it is connected with other packages, the research team believes it was fetching the same executable.
With further research using ReversingLabs' Titanium Platform, the downloaded executable was found to be a PyInstaller compiled executable serving Luna Grabber. Identifying this malware was possible after identifying a script inside the malicious executable. The content of that file matched a file found on Luna Grabber’s GitHub page as luna.py, and holds all the logic of Luna Grabber.
Luna Grabber is malware made to steal information from installed web browsers, the Discord application as well as local system information and so on. It also has features that are very common with malicious software such as the ability to detect if it is being run in a virtual environment as well as a 'self destruct' feature.
Luna Grabber is very customizable and has detailed instructions on its GitHub page how to compile a malicious executable. Something similar was observed by the ReversingLabs research team with TurkoRat, customizable malicious software that we detected lurking on GitHub in May.
The TurkoRat open source malware provided would-be malicious actors with an option to bundle its malicious code inside of an executable file that could later be used as bait in phishing- or software supply chain campaigns intended for developers.
However, Luna Grabber’s author made the whole process of packaging the malware even easier than with TurkoRat by creating a special application just for building and configuring the malicious executable with simple, check-box options such as "Add to Startup;" "Ping"(with a field to provide an IP address); "Injection;" as well as options to collect "Wifi Info," "Browser Info," "Discord Info" and more.
The malicious actor behind noblox.js-vps took full advantage of this user friendly evolution, using the Luna Grabber builder (Figure 4) to create the executable later served by the malicious packages.
Figure 4: Luna Grabber builder, taken from its official GitHub page
As it turns out, the malicious actor behind noblox.js-vps opted for only stealing system information from victims, since all other options are marked as False in the configuration part of the file.
Figure 5: configuration part of Luna Grabber
Similar patterns in other malicious packages
Additional packages connected with this campaign, noblox.js-ssh and noblox.js-secure followed the same pattern: malicious code inside of the postinstall.js script downloaded a second stage payload script which then downloaded the third stage — possibly the same executable already analyzed.
Unfortunately, at the time of the research report, the third stage wasn’t retrievable, and even fetching the second stage from package noblox.js-ssh version 4.2.5 failed.
Fortunately for developers, the time frame during which this campaign was active was very small, and there wasn’t a significant impact measured in downloads of the malicious packages. The combined traffic across the three malicious packages was about 1000 downloads, with noblox.js-vps being the most frequented with 585 downloads. That is a small fraction of other, recent malicious
Indicators of Compromise (IOC)
The following IOCs were collected as part of ReversingLabs investigation of the noblox.js-vps software supply chain campaign.
npm packages:
package_name | version | SHA1 |
noblox.js-vps | 4.14.0 | 6c5c33d7dc70e18287dff364dea6f75395f13d5e |
noblox.js-vps | 4.15.0 | f7fd66cca3d60db664f4495ac4247850820487d5 |
noblox.js-vps | 4.16.0 | ff0f7108b310818a05e5a2ddb929758c80f325b3 |
noblox.js-vps | 4.17.0 | 8e7208dca6c3be903fd9711522ac5e4c6292aae9 |
noblox.js-vps | 4.18.0 | f398b213ba8b53645a9e018b3c626f5af93e39ce |
noblox.js-vps | 4.19.0 | 13ddeea9d9ca03dffc3dbb28ecf57c1aa408b06e |
noblox.js-vps | 4.20.0 | a7521ed8c64a8ad0c7923b33a793493f3ef54ec8 |
noblox.js-vps | 4.21.0 | c505d9f99ef4628e345d18681126959352cfd612 |
noblox.js-vps | 4.22.0 | 421f5f6522afe0329847d0cd1cf0163f6c8c5430 |
noblox.js-vps | 4.23.0 | 21d368c68b40fc0a9f5403cc1d9160cd2326d8ee |
noblox.js-ssh | 4.2.3 | 4f83a57e3e74698cdb5a7c15e17d396f68d3ac29 |
noblox.js-ssh | 4.2.4 | 0c3fec3308d3f475b6343df7369835f120712a07 |
noblox.js-ssh | 4.2.5 | 1ffc56b5b0bc1c5c845c78b7230d00877d5c57e4 |
noblox.js-secure | 4.1.0 | 06209e3806220cf453fbfa5f27d04c2c4c402007 |
noblox.js-secure | 4.2.0 | 35086a14a572a19884fb9b912fda619c6f01699c |
noblox.js-secure | 4.2.1 | 3a5e75a3d62c5e213798589d90fb696d791f6095 |
noblox.js-secure | 4.2.2 | f0d31b98e261b99bf12de9b800f8a931d672fa03 |
noblox.js-secure | 4.2.3 | fcd4ab5b8ddc002c71f1c9f8c5038a9a331a8716 |
Second stage payloads:
SHA1 |
968963b2950e4f8571a9ca84db69d6482335cfc1 |
21fa7478e0b7d5fc1752cdff9659095229fc0b1c |
28d0c86f9785efcc6c23e6b68690fe20070755ce |
23351a652d8e63853f724ad9f2a347f42bb1d7bb |
1fa91486601d02038bcb266b819d20c550a861ea |
Malicious PyInstaller compiled executable:
a94e7c7b429d2da3e319ad1384e48240539ac169
Conclusion
As we observed, this latest campaign targeting users of the Roblox platform has many similarities to one identified two years ago, with malicious npm packages mimicking noblox.js, a popular npm package with hundreds of thousands of downloads, while delivering ransomware. As in that campaign, the targets of these new, malicious packages were Roblox users and developers on the lookout for useful scripts to interact with the Roblox website. And, as with that campaign, this one had a limited impact, with just 963 downloads of three, different malicious packages. (The previous malicious noblox campaign identified by Sonatype had just 386 downloads.)
As for the larger significance of this campaign: it highlights yet again the trend of malicious actors using typo squatting as a technique to fool developers into downloading malicious code under the guise of similarly-named, legitimate packages. This is a technique the research team has observed many times in recent months, including the IconBurst malicious npm campaign spotted in July, 2022, and the more recent Brainleeches campaign on npm which we wrote about in July, 2023.
Multi-stage malicious packages like those that made up this campaign are common on open source platforms like Python Package Index (PyPI). However, they are less common on npm, which hosted this campaign. That may signal a new trend, or not. It is hard to tell at this stage if this is behavior we should expect to see more of on npm.
Also worth noting is the use of the Luna Grabber "turnkey" open source malware to generate malicious executables that act as bait in phishing and supply chain attacks, gathering sensitive information from targeted developers. This was similar to the recently disclosed Turkorat attack in May, which also saw malicious actors tapping an open source malware application to create the final stage malware delivered to victims.
Even though the impact of noblox.js-vps and other malicious packages in this campaign wasn’t high, it is a reminder to security and software development teams that threats lurk consistently in open source repositories, making choosing which package to include in the development process critical.
Article Link: https://www.reversinglabs.com/blog/fake-roblox-api-packages-luna-grabber-npm
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Post a Comment
Post a Comment