HQ/EMEAFind out how we can help your business
Earlier this month, an open-source information-stealing malware, Luna Grabber, appeared in the cybercriminal landscape to target Roblox developers. Based on reports, the malware has utilised npm packages in public repositories as its vector for distribution.
Researchers noted that there is no end to the threat actors’ efforts to disseminate npm malicious packages since they are essential to numerous programmers and developers. These individuals are their primary targets because they could unknowingly implement a malicious library, npm package or any components and provide hackers with direct access.
This new operation has allegedly operated since the start of this month and targets developers who write scripts for Roblox.
Luna Grabber operators lure gaming devs with malicious packages.
The Luna Grabber infostealer uses packages that claim to contain useful scripts as lures to attract Roblox gaming developers.
Additionally, the cybercriminal campaign endorses these npm packages that impersonate the well-known noblox.js package, a Node.js Roblox API wrapper. Researchers explained that the open-source Roblox API could facilitate developers in generating scripts that engage with the game’s website.
Researchers confirmed that the package threat actors use containers such as noblox.js-vps, noblox.js-ssh, and noblox.js-secure to store their malicious multi-stage payloads. However, the most prominent payload utilised by the hackers recently is the Luna Grabber malware.
Further analysis also showed that the payload is an infostealer that could extract information from various search engines, Discord apps, and local system configurations. It could also identify virtual environments and has a self-terminating feature.
The new malware also includes sophisticated adaptability mechanisms with comprehensive guidelines on its GitHub page, which contains instructions on how to build malicious executables.
A separate researcher also noticed some similarities between this new malware and the recently discovered TurkoRat malware on GitHub last May.
This newly discovered attack reveals the reintroduction of the typosquatting strategy to deceive developers into downloading malicious codes. Typosquatting and impersonating legitimate packages is a dangerous combo that could deceive numerous scriptwriters and developers. Therefore, every dev, especially in Roblox, should be vigilant in their packages, as threat actors have an ongoing campaign targeting the community.
