Malicious NPM Campaign Targets Roblox

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.

This week: a malicious software supply chain campaign targets developers for the Roblox gaming platform using malicious NPM packages. Also: China-linked supply chain attacks linked to a new hacking group: CarderBee.  

This Week’s Top Story

Malicious NPM Campaign Targets Roblox Developers With Luna Grabber Malware

ReversingLabs researchers this week announced the discovery of a malicious npm campaign that targets developers working on the Roblox gaming platform. 

In a post on the ReversingLabs blog, Lucija Valentić, a Software Threat Researcher, ReversingLabs wrote about the discovery of more than a dozen malicious npm packages that mimic the legitimate "noblox.js" package used for Roblox scripting.

According to Valentić, the malicious campaign began in early August, with the first suspicious package published on August 1. More than a dozen versions of malicious packages named “noblox-js-vps,” "noblox.js-ssh" and "noblox.js-secure.” The campaign was similar to another malicious npm campaign targeting the same noblox.js npm package, which the firm Sonatype disclosed in 2021. 

As with that campaign, attackers in the newly discovered campaign used “typo squatting” to sow confusion and fool developers searching for the noblox.js package to download and install the malicious packages instead. However, the malicious payload in the campaign discovered by ReversingLabs differs from the 2021 campaign. Specifically: the latest malicious npm packages pushed a PyInstaller-compiled executable that delivers Luna Grabber, open-source malware that is designed to steal information from the user's local web browser, Discord application, and more. 

Fortunately for developers, the Luna Grabber campaign was active for only a short time with combined traffic across the three malicious packages amounting to fewer than 1,000 downloads. However, the campaign is another reminder of the growing risks lurking in open source repositories like npm, PyPI and others and the need for continued vigilance. 

Other News

DARPA Funded Project Converts Binary Executables Into Readable Code

A DARPA-funded project at Georgia Tech has developed a prototype pipeline that can convert binary executables into human-intelligible code, allowing for easier updating and deployment of legacy closed-source software. The goal is to make the process reliable, automated, and suitable for military and civilian applications. The Verified Security and Performance of Large Legacy Software (V-SPELL) program was created with a $10 million grant and is focused on converting binary executables to human-readable code and then recomposing them back into functional binaries. The pipeline is particularly useful for updating complex software without access to the original source code, enabling bug fixes, security improvements, and feature additions, which could save the federal government billions. (The Register)

Report By Sysdig Identifies Cyber Attacks On GitLab Platforms

A report by the firm Sysdig claims that cyberattacks on GitLab instances are using sophisticated techniques to avoid detection including the use of Go and .NET binaries, undetected tools, and cross-platform malware. Cybercriminals are also abusing legitimate services to disguise their actions, a report by the Sysdig Threat Research Team (TRT) claims. The attackers, possibly from Russia, are using binaries for proxyjacking and cryptomining, exploiting GitLab's infrastructure, the report found.  (DevOps.com)

China-Linked Supply Chain Attack Claims 100 Victims 

A software supply chain attack involving a Microsoft trusted software model is raising concerns about a new and formidable cybersecurity threat. As reported by Wired, researchers from the Threat Hunter Team at Broadcom-owned security firm Symantec revealed that have identified a supply chain attack carried out by a previously unidentified hacking crew, which has been named "CarderBee."

The attackers hijacked the software updates of a piece of Chinese security software known as Cobra DocGuard, injecting malware that targeted about 100 computers, mostly in Hong Kong. The campaign bears a loose resemblance to previously identified Chinese state-sponsored hacking operations. The malicious actors behind the campaign were able to get their malicious code, the Korplug or PlugX malware that is commonly used by Chinese hackers, digitally signed by Microsoft. That signature, which Microsoft uses to indicate trusted code, made the malware far harder to detect. (Wired)

Report Finds Linux OS Target Of Growing Attacks

Linux, the open source operating system that runs on a growing share of devices - from personal computers to cloud services and critical infrastructure- is increasingly the target of malware, according to a new report by Trend Micro. The Linux Threat Landscape Report debunks the myth that Linux is immune to attacks, documenting the growing population of ransomware, cryptocurrency miners, web shells, and rootkits that take advantage of weaknesses such as unpatched software, misconfigurations, and poor coding practices. While Linux security is strong, proactive measures are essential, the report concludes. (Trend Micro)

Report finds Software Supply Chain Attacks on the rise

The Q2 2023 Threat Landscape Report by Kroll found a 33% surge in activity by the Cl0p ransomware gang compared to Q1, accompanied by a rise in email compromise attacks, with supply chain attacks targeting vendors on the rise. That includes incidents like the Cl0p gang's zero-day attack on UK based Zellis. Financial services, healthcare, telecom, and technology were the fastest-growing impacted industries, the report found. (Digit FYI)

Resource Round Up

Software Package Deconstruction Series: Deconstructing OneDrive and Dropbox | A Cloud Storage App Throwdown

Coming September 7. In this episode, we will analyze popular cloud storage applications from a third party risk management perspective. We will review behaviors, Internet communications, and other relevant information to evaluate the risk related to each option. [Register Now]

ReversingGlass Video: Trust in Your Software Must be Complete

In this latest episode of ReversingGlass, Matt Rose makes the essential point that trust in your software supply chain is all or nothing. He explains that trusting anything less than 100% of the components in your software package will set your organization up for major risk. This is why trust in software supply chains needs to be complete, so that the risk of a software supply chain attack to your organization can be minimized.  

ConversingLabs Podcast: Creating the Standard for Supply Chain Risk

In this episode, host Paul Roberts chats with Robert Martin of MITRE and Cassie Crossley of Schneider Electric about their session at this year’s RSA Conference. They explained how MITRE’s System of Trust can serve as a standard for software supply chain risk. The two also chatted with Paul about the greater issues facing software supply chains today, such as standardization and transparency.