A report published by Checkmarx found over 200 malicious Node Package Managers (NPMs) with hundreds of installations being linked to a cyberattack group know as 'LofyGang'.
LofyGang is a group of cyber-criminals who created a credential theft outfit by distributing there malicious packages and fake hacking tools on code hosting platforms such as GitHub.
Many people believe that LofyGang are based in Brazil, as many pieces of evidence surrounding the case contains sentences written in the Brazilian Portugese language. Furthermore, users found a file in their malicious packages that contained malware, and was named
brazil.js - is this just a coincidence, or do the group have more sinister motives?
What are LofyGang up to?
The group is really good at misleading users into installing these malicious packages. Unfortunately, those who installed such NPM packages were subjected to the theft of their account credentials including credit card information.
Checkmarx deduced that this attack group has been operating for over a year with multiple hacking objectives:
- Credit card information
- Discord “Nitro” (premium) upgrades
- Streaming services accounts (e.g. Disney+), Minecraft accounts, and more
Several numbers of these packages have been successfully removed now. But this is not the end. There are still some malicious files that still available to download.
There's now a dedicated project to search for and track malicious LofyGang packages on GitHub.
How Do They Promote Malware?
LofyGang manages to promote its malicious products on miscellaneous platforms such as YouTube, where the group uploads tutorials for these tools.
In October 2021, LofyGang started operating its own Discord server. From this server, users can receive "support" from the scammers themselves who do nothing but show users how to use the malicious tools that grant the scammers full access to their accounts.
Also, this server features a Discord bot called "Lofy Boost," which can grant users a "free" subscription to Discord Nitro, paid for with the credit card information from previous fallen victims of this scam.
To gain access to this "free" Nitro subscription, you are required to hand over the credentials to your account - see a problem here? Furthermore, the bot will steal your user token, which can grant the scammers access to your account, leaving you in a bit of a pickle.
LofyGang is not only providing malicious NPM packages but there are also share-out malicious hacking tools, on GitHub. As regular NPM packages, these hacking tools are all Discord-related.
In most circumstances, malicious files aren't contained in the main package. It's fetched as a dependency, so the operators of their hacking tools/NPM files are less likely to realise they got scammed. The hosting platforms as also very unlikely to remove these files from their sites.
Furthermore, these cybercriminals use 50+ accounts to upload NPM packages, fragmenting their malicious process as much as possible to evade large-scale takedowns.
If you have fallen for a scam before, change your password to force a reset of your user token, and consider enabling 2 Factor Authentication (2FA)
For further reading on how to stay safe on Discord, check out one of our past articles by Messyhunk.
That's all for today, hope you enjoyed today's article. Make sure to join our official Discord server to discuss further on this topic or suggest new articles!
Like what you're reading?
We do this every day. Unlock exclusive benefits, 4K wallpapers, and more. Become a member for the price of a coffee.
What are your thoughts on this latest scam?
Join the Netcord HQ Discord server today, where you can freely share your opinions on this topic with like-minded people!Join