Roblox is an immensely popular children’s game system. In 2021, the gaming platform grew from 32.6 million daily active users to nearly 50 million, across 180 countries. Over 30.6 billion hours of engagement have been logged. More than 50% of American children have played Roblox games and nearly 66% of American children between the ages of 9 and 12 use the platform.

On this account, it’s little surprise that hackers wish to attach themselves to the Roblox service. Per Check Point Research, Roblox was the 8th-most impersonated brand during the first quarter of 2022, ahead of both Paypal and Apple.

Roblox bug discovery

The initial hint of a hacker surfaced in March of 2022, as researchers uncovered a Trojan file hidden within a legitimate scripting engine that’s used for cheat code in Roblox. The tool installs an executable file, which installs library files onto the Windows system folder. In turn, this enables the program to potentially break applications, corrupt or remove data or exfiltrate information to hackers.

How a Roblox cyber attack works – technical details

In this attack, hackers install a self-executing program in Windows, via a Roblox scripting engine. The file was originally found in OneDrive. Avanan managed to scan and block the file.

  • Vector: Downloadable file
  • Type: Malware
  • Techniques: Backdoor Trojan, malicious file injection
  • Target: Any end-user

Within the attack, hackers inject three files, including a backdoor, into a scripting engine used by Roblox.

Roblox cyber attack technique

Hackers are exploiting a scripting engine used for Roblox. This enables hackers to insert malicious files, and as noted previously, one of these files is a backdoor trojan. The tool used is called Synapse X, which has a legitimate function and has safe files.

However, the tool leverages techniques that are also in use by other malicious programs, and that can be exploited for malware delivery purposes.

In the specific version of the tool, as observed by cyber security researchers, the backdoor Trojan installs library files into the Windows system folder. The malicious code can then be perpetually referenced by Windows. It remains running. These kinds of Trojans can break applications, corrupt, or remove data and send information to hackers.

Avanan, a Check Point Company, identified this file in a customer’s OneDrive. Avanan’s scan marked the file as malicious.

Why this matters

Beyond the ability to break applications and listen to files, what researchers found unsettling about this is the fact that the attack really targets children. Roblox is primarily played by kids. It’s easily installed on a personal computer, which may or may not have anti-virus protection.

Of course, there’s also a corporate risk. As we continue to work from home, employees may install such files on their work computers. Without file uploading to services like OneDrive or Google Drive, the malicious attack may perpetuate undiscovered.

Researchers assert that it’s not unreasonable to think that children might play Roblox on their parent’s computers, unwittingly installing a malicous file.

This situation provides perfect illustration of the importance of zero-trust security. In this new era of working-from-home, threats can come from anywhere. This includes children’s games.

Roblox’s response to the report

On May 6th, the Avanan company reached out to Roblox. A spokesperson for Roblox noted that the exploit was in Synapse X and not in Roblox. “Using third party services to circumvent specific systems is also against our Terms of Service. Roblox maintains many systems to keep our users safe and secure…”

For more on this story, please see Avanan’s blog post. Coverage of this bug has also appeared in the Sun. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.