- ROBLOX COOKIE VIEWER INSTALL
- ROBLOX COOKIE VIEWER ZIP FILE
- ROBLOX COOKIE VIEWER CODE
- ROBLOX COOKIE VIEWER ZIP
- ROBLOX COOKIE VIEWER WINDOWS
Malicious Chrome extension with TRADE icon (Click to enlarge) One of them, once installed, even shares the same icon as the malicious extension that was discussed earlier.įigure 13. We looked at all the Roblox trade bots that were listed in the web store, and found that all of these were malicious they would send your cookies to a remote Discord webhook. Reviews of Roblox Trade Bot (Click to enlarge) One reviewer even stated it steals the whole Roblox account.įigure 12.
![roblox cookie viewer roblox cookie viewer](https://gudangsofware.com/wp-content/uploads/2020/09/roblox-admin-download-2.jpg)
Roblox Trade Bot extensions in the Chrome web store (Click to enlarge)Ĭhecking the reviews for these add-ons, we saw that some users complained that these were stealing ROBUX. We wondered if any of these trade bots made it into the official Chrome web store, and found that they did:įigure 11.
ROBLOX COOKIE VIEWER INSTALL
The version we found required the user to manually install the extension into his Chrome browser, which required Developer Mode to be turned on. Roblox Trade Assist extension installed in Google Chrome on an OS X system (Click to enlarge)
![roblox cookie viewer roblox cookie viewer](https://digistatement.com/wp-content/uploads/2021/05/Roblox-768x384.jpg)
Unlike previous versions of Roblox cookie stealers like TSPY_RAPID.A and TSPY_RAPID.D that were compiled using C#, this particular malware will also work on Macintosh computers.įigure 10. Cookies sent to Discord (Click to enlarge)
ROBLOX COOKIE VIEWER CODE
We modified the code to send it to a Discord channel of our choice:įigure 9. The extension sends the Roblox cookie to a Discord channel like the previous malware, as seen below. Roblox Trade Assist extension installed in Google Chrome (Click to enlarge) All it takes is one time running the extension for the ROBUX cookie to be stolen and sent to the actor.įigure 8. It may run for a long period of time, allowing an attacker to steal ROBUX repeatedly if the victim keeps purchasing or acquiring new ROBUX. Unless a user looks into the extension’s code, it looks benign. manifest.json file of Chrome extension (Click to enlarge) Changing the extension’s manifest.json file will allow for its properties to be changed (such as its name and description), making it more likely for an unsuspecting user to fall victim to this attack.įigure 7.
ROBLOX COOKIE VIEWER ZIP
Code for configuring cookie to steal and Discord API (Click to enlarge)īecause CRX files are just ZIP files with a different extension, the malware can be easily reconfigured to steal the cookies from any website besides Roblox. This means that this could be used to steal any cookie that is in the web browser this capability is new to this version.įigure 6. These alarms ensure that the updated cookie is constantly uploaded to the attacker.Īt the beginning of the bgWork.js file (where the variables are configured), the attacker can change their webhook URL, or the cookie they want to steal. This event will send the stolen cookie (again) through the Discord API. The extension also sets up an alarm that will trigger an event every 15 minutes. Code sending stolen cookie via Discord (Click to enlarge) Title and message of the malicious extension (Click to enlarge)īgWork.js will send the message via Discord using a predefined webhook, which could also be changed to use any of the other chat platforms discussed in our paper titled How New Chat Platforms Can Be Abused by Cybercriminals.įigure 4. This extension doesn’t do that it will only send a stolen cookie to a Discord channel, leaving the user with nothing in return.įigure 3. In this case, the example shows that the extension is called a Trade Bot and claims to be a RAP (Recent Average Price) Value assistant that can help you trade your ROBUX for something else. Looking into bgWork.js, there is a configured Discord webhook that sends out the stolen Roblox cookie via the Discord API when installed. This underground marketplace forum is a hotspot for Roblox hacks, where users even trade ROBUX (the in-game currency of Roblox) for other work or products. Searching for the terms CRM5 or bgWork.js lead right back to the forum.
ROBLOX COOKIE VIEWER ZIP FILE
ZIP file contains a file named bgWork.js. We obtained samples of this bot using the following file names: ROBLOX BOT.zip, Crm5extension.crx, Roblox Enhancer.crx, and DankTrades.zip. Roblox Trade Bot being sold on the "Dream Market" underground marketplace (Click to enlarge) We learned this particular Chrome extension was, in fact, for sale on the Dream Market underground marketplace for only 99 cents:įigure 1.
![roblox cookie viewer roblox cookie viewer](https://ae01.alicdn.com/kf/HTB126qtbfc3T1VjSZPfq6AWHXXaP/Video-Game-Roblox-Logo-Cookie-Cutter-Custom-Made-3D-Printed-Cake-Cutter-Set-Cake-Decorating-Tools.jpg)
The stolen information is sent via Discord, but this could also be configured to use other chat platforms. While it currently only targets Roblox users, the same technique can be used to steal cookies from any website. Since then, we’ve noticed another attack going after the same information, only this time it is via Chrome extensions (CRX files).
ROBLOX COOKIE VIEWER WINDOWS
We recently discussed how cyber criminals are using the popular voice/chat client Discord to steal cookies from the running Roblox process on a Windows PC.