Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”.
This attack group has been operating for over a year with multiple hacking objectives:
- Credit card information
- Discord “Nitro” (premium) upgrades
- Streaming services accounts (e.g. Disney+), Minecraft accounts, and more.
Our findings were disclosed to the security teams of GitHub, NPM, Repl.it, Discord, and more.
Connecting the Dots
In August 2022, we bumped into a couple of LofyGang’s malicious packages. It started with a report from one of our internal engines. Our researchers immediately began investigating and crossing the IOC using our internal retro-hunting tools. This helped reveal more and more connections to other packages, and some of the packages linked to reports from Sonatype, SecureList, and JFrog, but each report was a small piece of the big puzzle, as you can see below. The detective board was so overloaded at some point that we had to zoom out. See the image below. We are also sharing the detective board PDF file here.
When defenders disclose malicious packages to package managers (NPM, PyPi, etc..), the package managers simply delete the related release artifacts and metadata.
While this does prevent users from downloading the malware, it makes things hard for defenders to (a) know what happened, as this is not documented, and (b) learn and improve from the attacker’s activities as it’s almost impossible to get the removed evidence.
Checkmarx research team created internal tools to continuously collect open source-related evidence. This is powering our research process; as you can see in this report, it helps us reveal and correlate deleted historical evidence and re-investigate samples which assist us in telling you the story of LofyGang over time. To read more about the fruits of retro-hunting, check out this story.
By observing LofyGang’s activities across the internet, it appears they are an organized crime group focused on stealing and sharing stolen credit cards, gaming and streaming accounts, and more.
They create sock-puppets accounts using a closed dictionary of names with slight permutations of keywords such as lofy, life, polar, panda, kakau, evil, devil, and vilão (villain in Portuguese).
As we explored this case, we guessed their origin is Brazil as much of the evidence contained Brazilian Portuguese sentences and even a file called “brazil.js”, which contained malware found in a couple of their malicious packages.
LofyGang’s Discord server was created a year ago, on October 31, 2021, and seems to be the main channel of communication between the group’s administrators and their members.
In this Discord server, you can find technical support for the group’s hacking tools, a dark meme group, and a dedicated bot responsible for a giveaway of Discord Nitro upgrades.
Discord Bot – “Lofy Boost”
LofyGang created a Discord bot “Lofy Boost” to deploy stolen credit cards on the operator’s account. When calling the bot command “ph!boost”, the operator must provide it with his personal credentials. Also, LofyGang stated that whoever uses this bot will also automatically boost LofyGang’s Discord server.
The group is contributing to an underground hacking community under the alias DyPolarLofy, where they leak thousands of Disney+ and Minecraft accounts, promote their hacking tools under their GitHub page, promote their bots, and more.
Fake Instagram Followers As-A-Service
It seems that LofyGang’s main offering in that underground hacking community is to sell fake Instagram followers. This links to some of the malicious package profiles; for example, the package “fetch-string” is linked to the “victorjxl” Instagram account, which appeared to be an account with fake followers.
The group is hosting hack tools under the GitHub account PolarLofy. Their open source repositories offer tools and bots for Discord, such as:
- Discord spammer
- Password stealer
- Nitro Generator
- Chat Wiper
- And more
LofyGang has a YouTube channel with self-promotion content, such as video tutorials demonstrating how to use their hacking tools. Their channel has almost 4k subscribers.
Using Legitimate Services as C2
Discord, Repl.it, glitch, GitHub, and Heroku are just a few services LofyGang is using as C2 servers for their operation.
We were able to trace ~200 malicious open-source packages published in the past year. We saw several classes of malicious payloads, general password stealers, and Discord-specific persistent malware; some were embedded inside the package, and some downloaded the malicious payload during runtime from c2 servers.
Typosquatting and StarJacking
Typosquatting is a technique commonly used by attackers targeting the open source supply chain that relies on typing mistakes. Attackers register permutations of typing mistakes of popular packages, like “falsk” instead of “flask.” This leads to the accidentally installation of a malicious package.
Starjacking, usually combined with Typosquatting, occurs whenever a package references a git repository; websites such as PyPi, NPM, etc., display the statistics such as GitHub issues, stars, forks, etc., accordingly. The package managers do not validate the accuracy of this reference, and we see attackers take advantage of that by stating their package’s git repository is legitimate and popular, which may trick the victim into thinking this is a legitimate package due to its so-called popularity. We saw Starjacking in another previously reported attack last month.
LofyGang, like many other attackers, used Typosquatting and Starjacking techniques to appear popular and legitimate to developers. For instance, they often use the words “color” and “discord” in package names in addition to referencing a legitimate GitHub repository and copying another popular package’s description as-is.
Hiding in a Sub-Dependency
One of the techniques used by the attackers to avoid detection is to keep the first-level package clean from malicious code, but having it depend on another package that introduces the malicious code. We saw that whenever the malicious dependent package was caught and removed, the attackers would replace it with a new one, and publish a new version of the main package which was never removed.
The packages are purposely published by different NPM user accounts to decouple them as much as possible if one of them is caught.
Modifying the Installed Discord Application
Some of the group’s malicious packages were spotted modifying the installed Discord instance with hooks to steal credit cards, sent via Discord webhook straight to the attackers whenever a payment was made.
Some of the malicious payloads are obfuscated. When we tried de-obfuscating the payloads, we noticed that the writers of this code added anti-deobfuscation statements to be executed whenever de-obfuscation tools such as https://github.com/relative/synchrony were used. The anti-deobfuscation statements would unpack a naïve regular expression that jams the event loop, making debugging the malicious code confusing.
NPM Activity Over Time
Since the beginning of their malicious activities on NPM, we’ve seen a steady flow of dozens of malicious packages published per month.
Don’t Trust Code From Strangers, Especially Attackers
LofyGang’s hack tools also depend on malicious packages, which infect their operators with persistent hidden malware using the same capabilities as described above. For instance, we saw the tool “Discord-Mass-Dm” on GitHub, which depends on “small-sm” – one of LofyGang’s malicious packages.
Screenshot from the group’s hack tool “Discord-Mass-Dm” having a malicious dependency.
In addition, some reports from the underground community cautioned about LofyGang’s code examples, discord bots, and other contributions which were also infected.
The surge of recent open-source supply chain attacks teaches us that cyber attackers have realized that abusing the open-source ecosystem represents an easy way to increase the effectiveness of their attacks.
Communities are being formed around utilizing open-source software for malicious purposes. We believe this is the start of a trend that will increase in the coming months.
We’d like to thank our friends from Sonatype, SecureList, and JFrog for publishing their reports. By crossing those findings, we were able to connect the dots faster and create this investigation board which links the source of those activities to LofyGang.
We believe in sharing and working together to keep the ecosystem safe. Shoot us an email at [email protected] if you’re interested in this incident’s samples or other data.
We’ve launched a tracker website https://lofygang.info/ to share new findings about these attackers. This is an open source static website available on our GitHub. If you bump into more of these packages, feel free to contribute!
List of Malicious Packages
See the following list of malicious packages in this gist: https://gist.github.com/jossef/aaa9e45c062d973f18bd87c43b9c4fc7