A cybercrime group named LofyGang has distributed roughly 200 malicious NPM packages that have been downloaded thousands of times over the past year, according to Checkmarx.
Likely operating out of Brazil, LofyGang appears to be an organized crime group focused on multiple hacking activities, including credit card data theft and Discord premium upgrades, as well as the hacking of games and streaming service accounts.
LofyGang has been observed abusing multiple public cloud services for command and control (C&C) purposes, including Discord, GitHub, glitch, Heroku, and Repl.it, creating sock-puppet accounts using a closed dictionary of names (slight permutations of evil, devil, lofy, polar, panda, kakau, and vilão).
Since October 2021, the group has been using a Discord server for communication between administrators and members, and to provide technical support for its hacking tools.
The group also operates the GitHub account PolarLofy – which offers tools and bots for Discord, including a spammer, a password stealer, a Nitro generator, and a chat wiper, among others – and operates a YouTube account that contains self-promotion content.
Over the past year, LofyGang has published roughly 200 malicious open source packages, which either contained or linked to generic malicious payloads, password stealers, and Discord-specific malware.
The threat actor was seen relying on typosquatting and starjacking to create a false sense of legitimacy, referencing legitimate GitHub repositories in their packages, and copying the descriptions of popular packages.
To avoid detection, the group used clean first-level packages that had malicious packages among their dependencies and replaced the malicious dependency with a new one when discovered and removed. The attackers used different NPM user accounts to publish these packages.
Some of the packages associated with LofyGang would modify the installed Discord instance to steal credit card data that was sent directly to the attackers immediately when a payment was made.
LofyGang was also observed selling fake Instagram followers to an underground hacking community, as well as leaking online accounts, and promoting their hacking tools and bots.
According to Checkmarx, the group also targeted the users of its hacking tools with malicious packages, with some members of the underground community cautioning about potential infections.
“LofyGang’s hack tools also depend on malicious packages, which infect their operators with persistent hidden malware using the same capabilities described,” Checkmarx notes.
The group also created a Discord bot “to deploy stolen credit cards on the operator’s account”, claiming that the use of the bot would boost LofyGang’s Discord server.
“The surge of recent open-source supply chain attacks teaches us that cyber attackers have realized that abusing the open-source ecosystem represents an easy way to increase the effectiveness of their attacks. Communities are being formed around utilizing open-source software for malicious purposes. We believe this is the start of a trend that will increase in the coming months,” Checkmarx concludes.