Security Experts Urge Users to Stop Downloading and Updating Mods for Minecraft Immediately
Security experts and the creators of Minecraft’s open-source Prism Launcher are urging users to stop downloading and updating mods for the game immediately due to the discovery of a self-propagating Fracturiser malware attacking systems running Windows and Linux.
Malware Found in Mods Hosted on CurseForge Platform
The accounts of the developers of the infected mods were hosted on the CurseForge platform. Some of the malicious files used in the attacks date back to mid-April, suggesting that the accounts were compromised several weeks ago. In addition, Bukkit.org, a developer platform run by CurseForge, is also believed to have been affected by the attack.
“A number of Curseforge and dev.bukkit.org accounts (not the Bukkit software itself) were compromised, and malware was injected into copies of many popular plugins and mods,” writes on Hackmd, in a thread dedicated to discussing what happened. “Some of the malicious copies are embedded in popular modpacks, including Better Minecraft [has over 4.6 million downloads]. There were reports of malicious JARs in plugins and mods as early as mid-April.”
Prism Launcher says the infection is “widespread” and lists the following mods as being affected by the attack.
List of Affected Mods
CurseForge:
– Dungeons Arise
– Sky villages
– Better MC modpack series
– Dungeons
– Skyblock Core
– Vault Integrations
– Autobroadcast
– Museum Curator Advanced
– Vault Integrations Bug fix
– Create Infernal Expansion Plus (mod removed from CurseForge)
Bukkit:
– Display Entity Editor
– Haven Elytra
– The Nexus Event Custom Entity Editor
– Simple harvesting
– MCBounties
– Easy Custom Foods
– Anti Command Spam Bungeecord Support
– Ultimate Leveling
– Anti Redstone Crash
– Hydration
– Fragment Permission Plugin
– No VPNs
– Ultimate Titles Animations Gradient RGB
– Floating Damage
How the Malware Works
The Fracturiser malware used in these attacks works on both Windows and Linux. Malware is delivered in stages, and the chain of infection starts after the user launches one of the infected mods. At each subsequent stage, files are downloaded from the control server, after which the attack proceeds to the next stage.
Stage 3, which is considered the last, creates a folder and a script that makes changes to the registry, and the following actions are performed:
– The malware spreads itself to all JAR files in the file system, allowing Fracturiser to infect other mods that were not downloaded from CurseForge or BukkitDev;
– Theft of cookies and login information in a number of browsers;
– Substitution of cryptocurrency addresses in the clipboard for alternative ones belonging to hackers;
– Stealing Discord credentials;
– Microsoft and Minecraft credential theft.
Judging by the malware samples uploaded to VirusTotal (1, 2), not all antivirus solutions detect Fracturiser yet.
Indicators of Compromise
People who want to manually scan their systems for Fracturiser and signs of infection should look for the following indicators of compromise.
Linux:~/.config/.data/lib.jar.
Windows: loo