SBN

Inside the “fallguys” malware that steals your browsing data and gaming IMs; Continued attack on open source software

This weekend a report emerged of mysterious npm malware stealing sensitive information from Discord apps and web browsers installed on a user’s machine.

DevOps Connect:DevSecOps @ RSAC 2022

The malicious component called “fallguys” lived on npm downloads impersonating an API for the widely popular video game, Fall Guys: Ultimate Knockout. Its actual purpose, however, was rather sinister.

As first reported by ZDNet and analyzed by the npm security team, the component when included in your development builds would run alongside your program, and access the following files:

  1. /AppData/Local/Google/Chrome/Userx20Data/Default/Localx20Storage/leveldb
  2. /AppData/Roaming/Operax20Software/Operax20Stable/Localx20Storage/leveldb
  3. /AppData/Local/Yandex/YandexBrowser/Userx20Data/Default/Localx20Storage/leveldb
  4. /AppData/Local/BraveSoftware/Brave-Browser/Userx20Data/Default/Localx20Storage/leveldb
  5. /AppData/Roaming/discord/Localx20Storage/leveldb

The file list comprises the local storage leveldb files of different web browsers, such as Chrome, Opera, Yandex, and Brave, along with any locally installed Discord apps.

LevelDB is a key-value storage format mainly used by web browsers to store data especially that relates to a user’s web browsing sessions.

The “fallguys” component would pry on these files and upload them to a third-party Discord server, e.g. via webhooks.

A peek inside npm “fallguys”

Npm removed the malicious package, but fortunately we retain a copy of all components in a secure archive, so the Sonatype Security Research team was able to quickly analyze the malware. In fact, we got this into our data well before the news broke so Nexus users are safe!

In this Nexus Intelligence Insights post, we share a first look inside “fallguys”.

Vulnerability identifier: sonatype-2020-0774
Vulnerability type: Embedded Malicious Code
Impacted package: fallguys as formerly present in npm downloads

CVSS 3.1 Severity Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS3.1 Score: 10 (Critical)

While “fallguys” package was likely created with malicious intent from the beginning, the package exhibits outright suspicious behavior in version 1.0.6.

There are three files found in version 1.0.6. One is a README which touts the malware being a Fall (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Akshay 'Ax' Sharma. Read the original post at: https://blog.sonatype.com/inside-the-fallguys-malware