Luna Grabber Data-Stealing Malware Targeting Roblox Users

A concerning cyber threat has emerged, targeting developers within the Roblox community. Researchers from ReversingLabs have uncovered a malicious campaign involving the distribution of data-stealing malware named "Luna Grabber." This malware has been injected into over a dozen open-source software packages commonly used by Roblox developers, underscoring the sophistication of this cyber attack.

The attack's methodology is multifaceted, relying on tactics like typo-squatting and advanced obfuscation techniques to lure users into downloading counterfeit versions of widely used software hosted on npm, a renowned open-source software repository. These bogus packages, while still containing authentic code that developers seek, harbor a multi-stage malware assault capable of deploying Luna Grabber across various digital platforms, including web browsers and Discord applications.

Luna Grabber Detection

The initial detection of Luna Grabber came during ReversingLabs' routine monitoring of npm. A suspicious package, "nobox.js-vps," was identified, blatantly masquerading as a legitimate Roblox API wrapper. This campaign's primary objective is to harvest information, a treasure trove for potential future attacks. Luna Grabber essentially acts as a 'turnkey' open-source malware tool, generating malicious executables used in phishing and supply chain attacks, with a particular focus on extracting sensitive data from targeted developers.

Npm, as one of the world's largest open-source software repositories, provides ample opportunities for cyber attackers. However, this campaign has had a relatively limited impact so far, with less than 1,000 users falling victim across the numerous compromised software packages. While many of these identified packages have been removed, the campaign's persistence remains a concern.

Roblox, an online gaming platform enabling users to create virtual worlds and experiences, has seen explosive growth in popularity, especially during the COVID-19 pandemic. It now boasts over 66 million daily active users and 214 million monthly active users. Unfortunately, this surge in interest has also attracted the attention of malicious actors. In 2021, a similar approach involving typosquatting on "nobox.js" was used to deliver ransomware to unsuspecting victims within the Roblox community.

Ashlee Benge, Director of Threat Intelligence Advocacy at ReversingLabs, pointed out a concerning vulnerability within the Roblox developer community. Unlike developers for larger corporate entities, these individuals may lack security awareness and sophistication when it comes to evaluating the safety of third-party libraries they use. This knowledge gap makes them ideal targets for cybercriminals looking to exploit vulnerabilities.

Interestingly, this attack marks a departure from the norm by using npm as the vector for multi-stage malware attacks. Traditionally, such attacks have been more prevalent in other open-source libraries, like PyPi. However, as these libraries have beefed up their security with new authentication features, malicious actors are possibly shifting their focus to other repositories, exemplified by Luna Grabber's presence on npm.