Bogus JS libraries become sustained ransomware threat for Roblox gamers

If your kids play Roblox, you may wish to warn them of ransomware perils snapping at their heels. A very smart, and determined attack has been taking place for a little while now. Although initially dismissed as a form of prank, the developers under fire now disagree. Whether prank or malicious campaign, the end results are still bad for everyone involved. Shall we take a look?

What is Roblox?

If you have younger kids and they play games, they may well have dabbled in Roblox. If so, you’ll have experienced howls of outrage for a few days in October when the entire system came crashing down.

It’s a game, but also much more than that. It’s a place where other users can make their own games inside the Roblox landscape. It’s been around since 2006, and has millions of users. Kids love it because every time they log in, there’ll be something different to do. If they start making content, there’s even the possibility of making money from it.

As you can imagine, this makes it a popular target for scammers and malware authors. As they’re primarily targeting kids, it’s probably a bit easier to go on the offensive than tackling more cautious adults.

What tactics are used to scam Roblox users?

Glad you asked! We covered one such scam last year. Robux is the in-game currency used by players. It can be bought with real money, or earned via creating content (assuming the child is over 13 years of age).

As a result, Robux cash generators are rife and will send gamers off to bogus surveys, malware installs, phish attempts…the usual collection of awfulness.

Outside of Robux generators, phishing and malware generally are popular with scammers everywhere. You can read about typical Roblox experiences here. Not everything is scam central; some of it is just weird, or baffling. Even so, it pays to be on your guard. This is especially applicable in this case. We don’t “just” have scammers targeting the kids directly. What we have here is people trying to place bogus files in locations the players wouldn’t necessarily expect to find them.

We now turn our attention to Noblox, the stepping-stone for scammers to reach their goal of the end users.

Roblox and Noblox

Noblox is a popular way to automate certain in-game Roblox functions. As per its description:

This NPM package enables operations froms the Roblox website to be executed via NodeJS; many individuals leverage noblox.js along side Roblox’s HTTPService to create in-game scripts that interact with the website, i.e. promote users, shout events, and so on, or to create Discord utiltiies to manage their community.

Malicious packages containing ransomware were found to be emulating the real thing.

Noblox.js-proxy imitated noblox.js, deliberately using a name as similar as possible. Meanwhile, Noblox.js-proxies did the same thing to the legitimate noblox.js-proxied. The bad packages had a few hundred downloads between them before being shut down.

The scammers reused certain portions of the real thing, and then dropped dubious code into places users wouldn’t suspect. A little bit of obfuscated code later, and the end result is Trojans dropped onto the target PC, alterations to the Windows registry, and a dash of ransomware to round the whole sorry enterprise off.

When “pranks” start to get serious

This one was arguably well beyond the prank point and had at least one foot in serious territory. A feeling now compounded as the Noblox devs flag at least 6 different libraries aiming to confuse and trap unsuspecting victims.

Although the bogus libraries are being taken offline, the people behind this are making use of Discord to cause additional headaches. Multiple servers exist and are being used to trick younger users into downloading the rogue files. Regular readers will be familiar with the type of Discord messages used for these sorts of antics.

What can Roblox gamers do to avoid these attacks?

As many of the bogus files are being sent in Discord, gamers should be very cautious around anything sent their way. These rogue messages may be sent via DM or posted publicly in a Discord server. They could also arrive via other methods. It’s a tricky one to address, because we’re dealing with younger users who may not be massively tech savvy, versus a confusing selection of package repositories and somewhat technical file names.

If you’re a parent and unsure about your kid’s activity in Roblox, and want to know more about it generally, a good place to start is the Roblox Parents’ Guide. If your kids are making their own games and want to branch out into the kind of package assistance seen above, it may be worth reading the FAQs from the developers. This isn’t a problem that’s likely to go away overnight, and that’s what the scammers and malware authors are banking on.

The post Bogus JS libraries become sustained ransomware threat for Roblox gamers appeared first on Malwarebytes Labs.