Roblox is one of the most popular game systems in the world. In 2021, this gaming platform grew from 32.6 million daily active users to nearly 50 million, across 180 countries. At one point, over half of American kids were playing Roblox. Beyond that, two-thirds of all kids in the U.S. between 9 and 12 use the platform.
It’s no surprise, then, that hackers are looking to attach themselves to this service. According to Check Point Research, Roblox was the 8th-most impersonated brand in the first quarter of 2022, ahead of Paypal and Apple.
Now, a more malicious attack is afoot.
Starting in March 2022, Avanan researchers uncovered a Trojan file that was hidden within a legitimate scripting engine that’s used for cheat code in Roblox. The tool installs an executable file that installs library files into the Windows system folder, giving the program the potential to break applications, corrupt or remove data, or send information back to the hacker. In this attack brief, Avanan will analyze how hackers are installing backdoor Trojans via Roblox scripts.
Attack
In this attack, hackers are installing a self-executing program in Windows, via a Roblox scripting engine.
The file was originally found in OneDrive–Avanan then scanned and blocked the file.
In this attack, threat actors are injecting three files, one of which is a backdoor, into a scripting engine used by Roblox.
Email Example #1
This video shows how the program, called Synapse X, installs itself.
Email Example #2
The threat report shows the characteristics that make this file dangerous.
Techniques
Hackers are exploiting a scripting engine used for Roblox to insert malicious files, one of which is a backdoor trojan.
The tool is called Synapse X, which has a legitimate purpose and has safe files.
The tool, however, uses techniques that are also being used by malicious programs and can be easily exploited for malware.
The specific version of the tool observed here drops three files, one of which is a backdoor Trojan.
This file installs library files (DLL) into the Windows system folder. The malicious code can be perpetually referenced by Windows and remains running. Trojans like this can break applications, corrupt or remove data and send information to the hacker.
We found this file in a customer’s OneDrive. It’s possible the customer uploaded it by mistake. Avanan scanned and found the file malicious.
Beyond the ability to break applications and listen to files, what’s particularly concerning about this attack is the fact that Roblox is primarily played by kids. That means that it can easily be installed on a personal computer, which might have little or no antivirus protection.
Of course, there’s a corporate risk as well. As we continue to work from home, employees may install such files on their work computers. Without it being uploaded to a service like OneDrive or Google Drive, it may not be discovered.
Further, it’s not unreasonable to think that kids might play Roblox on their parent’s computer and install the file.
This malicious file perfectly illustrates the importance of zero-trust security. In this disparate, work-from-home era, threats are everywhere–including in children’s games.
Avanan reached out to Roblox on May 6th, 2022. Roblox responded to Avanan on May 11th, 2022. Roblox noted that the exploit was in Synapse X and not Roblox. A spokesperson told Avanan: "Using third party services to circumvent specific systems is also against our Terms of Service. Roblox maintains many systems to keep our users safe and secure, and we prohibit attempts to bypass these systems or otherwise violate our platform requirements."
As a part of Avanan's disclosure process for Attack Briefs, Avanan contacts any parties directly or indirectly involved or potentially implicated in advance with its findings.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following: