Threat Research

Malicious npm Packages Aiming at Roblox Users

Securonix

A persistent malware campaign targets Roblox developers by distributing malicious npm packages that imitate noblox.js, stealing data and taking control of infected systems. Even after takedowns, new packages continue to surface, exploiting trust in open-source ecosystems. Hashtags: #noblox.js #DiscordToken #QuasarRAT #npm #Roblox #WindowsRegistry

Keypoints

  • Dozens of malicious npm packages mimicking the noblox.js library have been identified since August 2023, with new ones appearing as recently as August 2024.
  • Attackers use brandjacking, combosquatting, and starjacking to create a façade of legitimacy for their packages.
  • Malware capabilities include Discord token theft, system information harvesting, and deployment of additional payloads like Quasar RAT.
  • Persistence is achieved by manipulating the Windows registry to execute malware when the Windows Settings app is opened.
  • Malicious packages have been removed, but the attacker’s GitHub repository remains active, posing ongoing threats.

MITRE Techniques

  • [T1003] Credential Dumping – ‘Malware searches for Discord authentication tokens in multiple locations and validates them before exfiltration.’
  • [T1055] Process Injection – ‘Malware manipulates Windows processes to evade detection by security software.’
  • [T1060] Registry Run Keys / Startup Folder – ‘Malware modifies registry keys to ensure it runs every time the Windows Settings app is opened.’
  • [T1071] Command and Control – ‘Data exfiltration occurs via a Discord webhook, sending sensitive information to the attacker’s server.’
  • [T1219] Remote Access Tools – ‘Deployment of QuasarRAT for extensive control over the infected system.’

Indicators of Compromise

  • [URL] Delivery/payload hosting – hxxps[:]//github[.]com/aspdasdksa2/callback/raw/main/Client-built.exe, hxxps[:]//github[.]com/aspdasdksa2/callback/raw/main/cmd.exe
  • [URL] Command and control – hxxps[:]//discord[.]com/api/webhooks/1273489016658071624/HWeSPo3qKIbUbqkwiWNoTneHoqo70s5aAYf9NBkAxoICy1SBMezf9ka22Ry59WK1kwYk

Read more: https://checkmarx.com/blog/year-long-campaign-of-malicious-npm-packages-targeting-roblox-users/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint