Checkmarx researchers have mapped out a complex web of criminal activity that all points back to a threat actor known as LofyGang. This group of cybercriminals provides free hacking tools, Discord-related npm packages, and other services to other nefarious actors and Discord users. These tools, packages, and services, however, come with a hidden cost: the theft of users' accounts and credit card credentials.
The researchers discovered at least 200 malicious npm packages uploaded to the official npm website by various LofyGang sock puppet accounts. These npm packages look like genuine packages that enable users to interact with the Discord API. LofyGang dupes users into installing malicious packages instead of legitimate ones by uploading multiple versions of its packages with different misspellings of popular packages.
In order to give their malicious packages credibility on the npm website, the group also ties their npm packages to active and reputable GitHub repositories. An unsuspecting user who enters a typo while searching for a legitimate package may come across a listing for one of these malicious packages, fail to notice the misspelling, and install the package.
Unfortunately for those who install malicious npm packages, the packages are designed to steal users' account and credit card information. However, rather than containing malicious code directly, these packages rely on secondary packages that contain malicious code. Because malware is hidden in dependencies, the original malicious packages are less likely to be reported as malicious and removed from the npm website.
If one of the malicious dependencies is reported and removed, the threat actor can simply upload a new malicious dependency and push an update to the user's original npm package, instructing it to rely on this new malicious dependency.
LofyGang distributes malicious hacking tools on GitHub in addition to malicious npm packages. The hacking tools, like the npm packages, are usually Discord-related. These programmes also contain malicious dependencies that steal account and credit card information. LofyGang promotes these tools on a variety of platforms, including YouTube, where the group posts tool tutorials.
The LofyGang's Discord server, which has been operational since October 2021, is another avenue for promoting the group's malicious hacking tools. Users can join this Discord server to get assistance with the tools. The server also includes a Discord bot that can grant users a free Discord Nitro subscription using stolen credit card information.
However, in order to use the bot, users must provide their Discord account credentials, which LofyGang is likely to add to the growing list of credentials stolen by its malicious packages and tools. At the end of the day, Checkmarx's report shows that anyone using LofyGang's packages, tools, and services, whether they realise it or not, is handing over their account and credit card credentials.