LofyGang has created a credential-stealing enterprise through which it is distributing about 200 malicious packages and fake hacking tools on code hosting platforms such as GitHub and npm.
What happening?
LofyGang has been active for a year with the aim of stealing credit card data, user accounts of Discord Nitro, gaming, and streaming services. It is using around 199 rogue packages with thousands of installations.
- LofyGang promotes its hacking tools (including Nitro generator, password stealer, Discord token grabber, spammer, and webhook hiding module) in hacking forums, where some tools come with a hidden backdoor.
- GitHub, Discord, glitch, Heroku, and Repl[.]it services are being used as C2 servers by the threat group.
- The fraudulent packages are laden with password stealers and Discord-specific malware.
Efforts to stay hidden
To hide the scale of the supply chain attack, the packages are published using different user accounts. This ensures that malicious libraries stay unaffected on the repositories even if one is spotted and removed.
- LofyGang has been using a technique wherein the top-level package is left free of malware, while the other dependant packages, which are downloaded later, come with malicious capabilities.
- Further, the hacking tools shared by LofyGang on GitHub depend on malicious packages, acting as a medium to deploy persistent backdoors on the systems of the operator.
Effort by security agencies
- Different activities under this campaign have already been disclosed and tracked by various agencies, such as Sonatype and JFrog.
- Moreover, Kaspersky has been tracking the threat actor as LofyLife, which was using tainted npm packages to target Discord users.
- However, a recent analysis from Checkmarx pulls the different activities under one name as LofyGang.
Conclusion
The recent finding supports the fact that cybercriminals are now setting their sights on the open-source ecosystem. They use the ecosystem to widen the scope and effectiveness of the attacks. Thus, developers are suggested to carefully choose packages on platforms like GitHub and nmp.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e356_shutterstock_2149934137.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7ff2_shutterstock_1914207103.jpg)
