How LofyGang Is Using Discord, YouTube And GitHub In A Massive Credential Stealing Attack
by
Nathan Wasson
—
Friday, October 07, 2022, 05:45 PM EDT
Researchers at the cybersecurity firm Checkmarx have managed to map out a complex web of criminal activity that all ties back to a threat actor known as LofyGang. This group of cybercriminals caters to other nefarious actors and Discord users by offering hacking tools, Discord-related npm packages, and other services for free. However, these tools, packages, and services come with a hidden cost, which is the theft of users’ account and credit card credentials.
The researchers discovered at least 200 malicious npm packages uploaded to the official npm website by various sock puppet accounts belonging to LofyGang. These npm packages mimic legitimate packages that help users interact with the Discord API. LofyGang tricks users into installing these malicious packages rather than legitimate ones by uploading multiple versions of its packages with different misspellings of popular packages. The group also ties its npm packages to active and reputable GitHub repositories in order to lend their malicious packages credibility on the npm website. An unsuspecting user who accidentally inputs a typo when searching for a legitimate package may stumble upon on a listing for one of these malicious packages, not notice the misspelling, and end up installing the package.
Unfortunately for those who install these malicious npm packages, the packages serve to steal users’ account and credit card credentials. However, rather than directly containing malicious code, these packages instead depend on secondary packages which contain malicious code. Hiding malware in dependencies this way means that the original malicious packages are less likely to be reported as malicious and removed from the npm website. If one of the malicious dependencies is reported and removed, the threat actor can simply upload a new malicious dependency and push out an update to the original npm package downloaded by the user directing it to rely on this new malicious dependency.
LofyGang YouTube channel featuring tutorials for the group’s hacking tools
In addition to malicious npm packages, LofyGang distributes malicious hacking tools on GitHub. Similar to the npm packages, the hacking tools tend to be Discord-related. These tools also have malicious dependencies that steal account and credit card credentials. LofyGang promotes these tools on various platforms, including YouTube, where the group uploads tutorials for the tools.
Another avenue for promoting the LofyGang’s malicious hacking tools is the group’s Discord server, which has been in operation since October of 2021. Users can join this Discord server to receive help using the tools. The server also features a Discord bot that can grant users a free subscription to Discord Nitro using stolen credit card credentials. However, in order to use the bot, users have to hand over their Discord account credentials, which LofyGang likely adds to the pile of credentials stolen by its malicious packages and tools. At the end of the day, Checkmarx's report makes clear that anyone using LofyGang’s packages, tools, and services, ends up handing over their account and credit card credentials, whether they realize it or not.
