'Noblox.js' NPM Malware

A new threatening package named 'noblox.js-rpc' was detected on the npm Registry by cybersecurity researchers. The threat is designed to deploy several infostealers capable of obtaining various sensitive data from the compromised machines. The collected data can include account credentials, private files, as well as the windows registration key. The final stage of the noblox.js-rpc attack includes activating a ransomware-type module.

Technical Details

The attack begins with a post-install script from the package.json file of the noblox.js-rpc threat. Before fetching the rest of the threatening payload, a check of the environment is performed, as the threat is aimed at Windows systems solely. If the check returns a positive result, the malware proceeds to execute a setup.bat file.

This batch script operates as a dropper responsible for grabbing the rest of the executables that are part of the attack. Four additional executables have been identified - 'Rar.bat,' 'Rar.exe,' 'Rara.exe,' and 'Mbr.exe.' The batch script also adds a general exclusion - 'C:/,' to Windows Defender to stop the security feature from interfering with its harmful activities.

The next phase of the attack consists of running the two infostealers - Rar.exe and Rara.exe. First, the custom stealer Rar.exe is executed to obtain the victim's Minecraft session files and Roblox cookies. Then, to make sure that all sensitive data has been harvested, Rara.exe is initiated and it proceeds to assemble various credentials.

The last step sees the deployment of a ransomware-type threat, a variant of MBRLocker, possibly. Instead of encrypting the victim's data, Mbr.exe overwrites the system's Master Boot Record. Doing so will prevent the whole system from booting up again, blocking users from accessing all of their files. A ransom message will be displayed to the victims, stating that they will need to join a specified discord server to receive additional instructions about the payment. The note also mentions that the demanded ransom could range from $100 to $500. The hackers also warn that after 48 hours, the whole hard drive will be erased while the collected information will be leaked to the public.

Noblox.js' Victims

It is apparent that the main victims of the threat are Roblox players. As such, the attackers have come up with an innovative way to trick their victims into installing and running the threatening package. The hackers join specific discord servers dedicated to sharing custom Roblox games.

The hackers then pretend to be offering users an opportunity to earn real money, subscriptions to the paid tiers of Discord, or Robux, the in-game Roblox currency. To get the money, users will need to host bots provided by the attackers. Of course, instead of the expected monetary gains, the users are given the 'Noblox.js' threat and will suffer dire consequences if they run the corrupted file.