Just a few days after the “ua-parser-js” NPM library hijacking incident, yet another malicious NPM library has been discovered that delivered password stealers, remote access trojans (RATs), and ransomware to unsuspecting users.
Sonatype researchers said they have spotted two related malicious NPM libraries disguised as a legitimate package "noblox.js," a Roblox game API wrapper available on NPM.
The bogus libraries named "noblox.js-proxy" and "noblox.js-proxies" were uploaded by the same threat actor ‘DarkDev’ or ‘DarkDev1’. According to Sonatype, the author of noblox.js-proxy first published a benign version that contained functional code, correct definitions, and a benign post-install script. However, the following noblox.js-proxy version has been found to contain an obfuscated Batch (.bat) script within postinstall.js file.
This Batch script downloaded malicious executables (exclude.bat, legion.exe, 000.exe, tunamor.exe) from Discord's Content Delivery Network (CDN). The first, exclude.bat, attempts to disable antivirus programs, while the second, legion.exe, drops various files for stealing Discord tokens and stored browser and system credentials.
000.exe drops a Text file, a Batch script, rich-text (RTF) documents, an EXE, and at last a “spooky” MP4 video.
The last executable, tunamor.exe, shows up in VirusTotal as a RAT that appears to be related to TAIDOOR, but, in reality, is ransomware.
“While unconfirmed, the ransom note looks identical to the ones seen in MBRLocker variants, generated using publicly available tools released on YouTube and Discord,” the researchers said.
Both the malicious NPM libraries have since been removed and are no longer available.
