Tech

Malicious Roblox NPMs drop ransomware and password stealers

Malicious NPM packages pretending to be Roblox libraries are delivering ransomware and password-stealing trojans on unsuspecting users.

The two NPM packages are named noblox.js-proxy and noblox.js-proxies, and use typo-squatting to pretend to be the legitimate Roblox API wrapper called noblox.js-proxied by changing a single letter in the library’s name.

Malicious noblox.js-proxies NPM
Malicious noblox.js-proxies NPM 

In a new report by open source security firm Sonatype and further analysis by bBleepingComputer, these malicious NPMs are seen to be deploying an MBRLocker ransomware that impersonates the notorious GoldenEye ransomware, trollware, and a password stealing trojan.

Both of the malicious NPM libraries have since been taken down and are no longer available.

A mess of malicious activity

After the malicious NPM libraries are added to a project and launched, the library will execute a postinstall.js script. This script is normally used to execute legitimate commands after a library is installed, but in this case, it starts a chain of malicious activity on victims’ computers.

As you can see below, the postinstall.js script is heavily obfuscated to prevent analysis by security researchers and software.

Obfuscated postinstall.js script
Obfuscated postinstall.js script

When executed, the script will launch the heavily obfuscated batch file called ‘nobox.bat,’ shown below.

Obfuscated noblox.bat batch file
Obfuscated noblox.bat batch file

This batch file was decoded by Sonatype security researcher Juan Aguirre and will download a variety of malware from Discord and launches them with the help of the fodhelper.exe UAC bypass

The files downloaded by the noblox.bat batch file are listed below in the order they are installed, along with their VirusTotal links and a description of their actions.

  • exclude.bat – Adds a Microsoft Defender exclusion not to scan files under the C: drive.
  • legion.exe – Deploys a password-stealing trojan that steals browser history, cookies, saved passwords, and attempts to record video via the built-in webcam.
  • 000.exe – Trollware that modifies the current user’s name to ‘UR NEXT,’ plays videos, changes a user’s password, and attempts to lock them out of their system.
  • tunamor.exe – Installs an MBRLocker called ‘Monster Ransomware,’ which impersonates the GoldenEye ransomware.

The Monster ransomware MBRLocker

Of particular interest is the ‘tunamor.exe’ executable, which installs an MBRLocker calling itself ‘Monster Ransomware.’

When executed, the ransomware will perform a forced restart of the computer and then display a fake CHKDSK of the system. During this process, the ransomware is allegedly encrypting the disks on the computer.

Fake CHKDSK while drives are encrypted
Fake CHKDSK while drives are encrypted
Source: BleepingComputer

When finished, it will reboot the computer and display a skull and crossbones lock screen originally found in the Petya/ GoldenEye ransomware families.

Monster ransomware lock screen
Monster ransomware lock screen
Source: BleepingComputer

After pressing enter, the victim is shown a screen stating that their hard disks are encrypted and that they must visit the http://monste3rxfp2f7g3i.onion/ Tor site, which is now down, to pay a ransom.

Monster ransomware ransom demand
Monster ransomware ransom demand
Source: BleepingComputer

Embedded in the executable is a ‘qVwaofRW5NbLa8gj‘ string, which is accepted as a valid key. While the ransomware accepts the key and states it is decrypting the computer, Windows will fail to start afterward.

Windows unable to start after entering key
Windows unable to start after entering key
Source: BleepingComputer

It is unclear if an additional string must be added to that key to decrypt the hard disk’s drive correctly or if this program is simply a wiper designed to destroy systems.

This ransomware does not appear to be widespread and is only known to be distributed via these NPM packages.

Based on the activity of the 000.exe trollware and the strange behavior of the Monster ransomware, it is likely that these packages are designed to destroy a system rather than generate a ransom demand.

Malicious NPMs used in supply-chain attacks, such as this one, are becoming more common.

Related Articles

Leave a Reply

Back to top button