How LofyGang Is Using Discord, YouTube And GitHub In A Massive Credential Stealing Attack
The researchers discovered at least 200 malicious npm packages uploaded to the official npm website by various sock puppet accounts belonging to LofyGang. These npm packages mimic legitimate packages that help users interact with the Discord API. LofyGang tricks users into installing these malicious packages rather than legitimate ones by uploading multiple versions of its packages with different misspellings of popular packages. The group also ties its npm packages to active and reputable GitHub repositories in order to lend their malicious packages credibility on the npm website. An unsuspecting user who accidentally inputs a typo when searching for a legitimate package may stumble upon on a listing for one of these malicious packages, not notice the misspelling, and end up installing the package.
Unfortunately for those who install these malicious npm packages, the packages serve to steal users’ account and credit card credentials. However, rather than directly containing malicious code, these packages instead depend on secondary packages which contain malicious code. Hiding malware in dependencies this way means that the original malicious packages are less likely to be reported as malicious and removed from the npm website. If one of the malicious dependencies is reported and removed, the threat actor can simply upload a new malicious dependency and push out an update to the original npm package downloaded by the user directing it to rely on this new malicious dependency.
Another avenue for promoting the LofyGang’s malicious hacking tools is the group’s Discord server, which has been in operation since October of 2021. Users can join this Discord server to receive help using the tools. The server also features a Discord bot that can grant users a free subscription to Discord Nitro using stolen credit card credentials. However, in order to use the bot, users have to hand over their Discord account credentials, which LofyGang likely adds to the pile of credentials stolen by its malicious packages and tools. At the end of the day, Checkmarx's report makes clear that anyone using LofyGang’s packages, tools, and services, ends up handing over their account and credit card credentials, whether they realize it or not.