Fake NPM library of noblox.js-proxied to install ransomware and password stealer found to be circulating

Fake NPM packages in Roblox’s library have been found to install ransomware and password stealing Trojans on unsuspecting users.

Fake npm Roblox API Package Installs Ransomware and Has a Spooky Surprise
Fake npm Roblox API package discovered by Sonatype uncovers first known ransomware maliciously placed in typosquatted open source package.

These typosquatting packages mimic noblox.js, a wrapper for the popular Roblox game API, and are available as standalone packages and as “noblox.js- It exists in npm as a standalone package and as legitimate variants such as “noblox.js- proxied” (which ends in ‘d’ instead of ‘s’).

Both of these are tracked in our security research data as sonatype-2021-1526.

According to an analysis by open-source security firm Sonatype, these malicious NPMs are infecting victims with MBRLocker, a ransomware that spoofed GoldenEye ransomware, trollware, and password-stealing Trojans.

None of the malicious NPM libraries have now been removed and are no longer available.

When you add a malicious NPM library to your project and start it, the library will run the postinstall.js script. This script is usually used to execute legitimate commands after the library has been installed, but in this case it initiates malicious activity on the victim’s computer.

The postinstall.js script has been heavily obfuscated to prevent analysis by security researchers and software.

When this script is executed, it will launch an obfuscated batch file called “nobox.bat”.

This batch file, decrypted by Juan Aguirre, a security researcher at Sonatype, downloads a variety of malware from Discord and launches it using the UAC bypass of fodhelper.exe

The files downloaded by the noblox.bat batch file are listed below in the order in which they were installed.

  • exclude.bat – Adds an exclusion setting to Microsoft Defender to prevent it from scanning files under the C: drive.
  • legion.exe – Deploys a password-stealing Trojan that steals browser history, cookies, saved passwords, and attempts to record video with the built-in webcam.
  • 000.exe – A trollware that changes the current user name to “ur next”, plays videos, changes the user’s password, and tries to lock them out of the system.
  • tunamor.exe – installs an MBRLocker called “Monster Ransomware” that masquerades as GoldenEye ransomware.

MBRLocker for threat ransomware

Of particular note is the “tunamor.exe” executable, which installs an MBRLocker that calls itself “Monster Ransomware”.

When this ransomware runs, it will cause a forced reboot of the computer and display a fake CHKDSK of the system. In the process, the ransomware allegedly encrypts the disks on your computer.

When finished, it will reboot the computer and display the lock screen with the skull and crossbones originally found in the Petya/ GoldenEye ransomware.

After pressing Enter, the victim is presented with a screen indicating that their hard drive is encrypted and that they must access the Tor site to pay the ransom.

This ransomware does not appear to be widespread, and appears to be distributed only via these NPM packages.