Tracking the ‘Noblox.js’ npm Malware Campaign

A new malicious package, noblox.js-rpc was spotted on the npm registry this month that leverages the same techniques we saw before to steal all sorts of sensitive data like credentials, files, and even the windows registration key and finally install ransomware. The package is being tracked under the identifier, sonatype-2021-1526 in Sonatype’s security data. 

The culprit, you ask? Darkdev—author of the fake Roblox API npm package that we caught last month installing ransomware on infected machines. This time around we are going to discuss the technical details behind the new malicious package and dive a bit deeper into the exploitation process that’s behind these attacks.

To give you a recap, the following timeline illustrates the progression of events leading up to the discovery of “noblox.js-rpc”: 


Once again it all starts with a postinstall script in the package.json file of noblox.js-rpc. A simple one-line command is enough to start the mayhem, `node postinstall.js`. 

The postinstall.js file is obfuscated similar to what we have seen before. We can start to figure it out or we can also run it and pay close attention to what happens behind the screen. 

This seems to only target Windows machines by checking the operating system before grabbing the rest of the payload. A setup.bat file is created and executed. The batch script is obfuscated using variable expansion, which we demystify in a previous article, but this time with added complexity by repeating the variable expansion process multiple times. This batch script is where it really starts to get interesting and the one in charge of grabbing the rest of the executables to complete the attack, also known as a dropper. 

The setup.bat file grabs four additional executables and one by one executes them.

Read more here: Source link