Hallo Community,
in unserem Discord Server wurden wir von unserem Mitglied TheMeinerLP#0001 auf die Malware "fractureiser" aufmerksam gemacht, die sich in der Minecraft Szene leider sehr schnell und weit verbreiten konnte, bis sie nun entdeckt wurde. Dieser Fall ist so aktuell, dass auch noch nicht alle Details dazu klar sind, stündlich gibt es neue Erkenntnisse dazu.
Wir möchten unsere Reichweite nutzen, um auch hier auf diesen Schadcode aufmerksam zu machen. Auch wenn noch nicht abschließend geklärt ist wie weitreichend diese Entdeckung ist, ist es wichtig, so früh wie möglich darüber zu informieren.
Federführend in der Untersuchung und Aufdeckung ist CurseForge und dessen Community, einen stets aktuellen Bericht dazu findet man hier: https://hackmd.io/B46EYzKXSfWSF35DeCZz9A
Folgend haben wir die Einleitung von dort für euch übersetzt, damit ihr direkt einen ersten Eindruck bekommt, worum es geht:
Diese Malware besteht aus mehreren „Stufen“, wobei jede Stufe für das Herunterladen und Ausführen der nächsten verantwortlich ist. Insgesamt gibt es drei bekannte Stufen (Stufen 1, 2 und 3), wobei infizierte Mod-Dateien als „Stufe 0“ dienen, um den gesamten Prozess einzuleiten.
Stufe 3 ist der „Mastermind“ der Malware, und wir haben Beweise dafür, dass sie Folgendes versucht:
- Verbreitet sich auf alle JAR-Dateien im Dateisystem und infiziert möglicherweise Mods, die nicht von CurseForge oder BukkitDev heruntergeladen wurden
- Stiehlt Cookies und Anmeldeinformationen für viele Webbrowser
- Ersetzt Kryptowährungsadressen in der Zwischenablage durch Alternativen, die vermutlich dem Angreifer gehören
- Stehlen von Discord-Zugangsdaten
- Stehlen von Microsoft- und Minecraft-Anmeldeinformationen
Viele Grüße,
das minecraft-server.eu Team
Current status
We have a good idea how fractureiser works, from stages 0 to 3. There are certain unknowns, but stage 0 bootstrapping was quickly nipped and tomorrow we’ll be moving our focus to mitigation. As a plan, we’ve contacted Mojang and will likely be working with teams to get detection software distributed and integrated into CurseForge and Modrinth, as well as considering integration in launchers like Prism, and mod loaders like Fabric and Forge. It is also worthwhile to run this detection software on mod distribution mavens, as it’s possible some have become infected.
Most of the current team responsible for updating this doc is tired and going to bed (as of 02:46a Pacific time). Others are continuing to reverse engineer stage 3.
Work has begun on a detector for infected stage0 mods: https://github.com/MCRcortex/nekodetector
If you have files relevant to this malware, please upload them to https://wormhole.app and email the URL to [email protected] — this inbox is controlled by xylemlandmark, and anything sent to it will be shared with the rest of the team. Please also let us know if you have the ability to download files from VirusTotal, as that would let us get ahold of many of the files we’re missing. We are looking especially for one lib.dll.
If you copy portions of this document elsewhere, please put a prominent link back to this HackMD page (https://hackmd.io/@jaskarth4/B1gaTOaU2) somewhere near the top so that people can read the latest updates and get in contact.
Non-technical overview [READ ME!]
A number of Curseforge and dev.bukkit.org (not the Bukkit software itself) accounts were compromised, and malicious software was injected into copies of many popular plugins and mods. Some of these malicious copies have been injected into popular modpacks including Better Minecraft. There are reports of malicious plugin/mod JARs as early as mid-April.
This malware is composed of multiple “stages”, each stage is responsible for downloading and running the next one. In total, there are three known stages (Stages 1, 2, and 3), with infected mod files serving as a “Stage 0” to kick the whole process off.
Stage 3 is the “mastermind” of the malware, and we have evidence that it attempts to do all of the following:
- Propagate itself to all
jarfiles on the filesystem, possibly infecting mods that were not downloaded from CurseForge or BukkitDev - Steal cookies and login information for many web browsers
- Replace cryptocurrency addresses in the clipboard with alternates that are presumably owned by the attacker
- Steal Discord credentials
- Steal Microsoft and Minecraft credentials
(See technical details for more info)
Because of its behavior, we are very confident this is a targeted attack against the modded Minecraft ecosystem. It’s quite bad.
Until further notice, exercise extreme caution with Minecraft mod downloads, regardless of origin. While the control server for this malware is currently offline, any download from Curseforge or the Bukkit plugin repository in the last 2-3 weeks should be treated as potentially malicious. This malware is unlikely to be detected by Windows Defender or similar antimalware products.
If you have downloaded any mods from Curseforge, or plugins from Bukkit, even through clients such as Prism Launcher or the official Curseforge launcher, it is recommended that you follow the “Am I infected?” guide below.
The affected accounts had two-factor authentication enabled. This is not a simple password compromise situation. Multiple accounts are affected.
Currently, we do not suspect other platforms such as Modrinth to be affected. At this point we cannot be confident claiming any hosting service is unaffected. Please exercise caution regardless of what site you use. Even Maven repositories may be infected, and this malware goes back months.
Right now, the malware is dormant due to the loss of its C&C server and the Stage0 (what was distributed via mods and modpacks) not having a way to get a new server. If you were infected with Stage2 (the file described below, dropped by Stage1 when C&C was up), then the malware is still active.
Am I infected?
You can check whether the malware ever ran on your computer, since Stage1 attempts to save Stage 2 at several unusual paths:
- Linux:
~/.config/.data/lib.jar - Windows:
%LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar(or~\AppData\Local\Microsoft Edge\libWebGL64.jar)- Make sure to show hidden files when checking
- Yes, “Microsoft Edge” with a space. MicrosoftEdge is the legitimate directory used by actual Edge.
- Also check the registry for an entry at
HKEY_CURRENT_USER:\Software\Microsoft\Windows\CurrentVersion\Run - Or a shortcut in
<span style="color: #FFD700">%appdata%\Microsoft\Windows\Start Menu\Programs\Startup</span>
- All other OSes: Unaffected. The malware is hardcoded for Windows and Linux only. It is possible it will receive an update adding payloads for other OSes in the future.
There are scripts available here which will help you check whether these files exist.
Before downloading, the malware will create the enclosing directory if it does not exist. Windows/MS Edge does not use the “Microsoft Edge”-with-a-space directory, and Linux software does not use ~/.config/.data, so these folders existing is a likely sign that Stage1 has executed on a victim computer.
If you find these files, you should delete them immediately, but consider all JAR files on your system compromised, and potentially all logins on your web browser as well. Passwords should be changed.
Given a jar file, how do I know if it’s safe?
There are various heuristics you can use to determine whether a jar is infected with Stage 0.
Emi’s shell script here simply checks for all usages of ClassLoader, which is uncommon in mod code. This can lead to false positives and negatives. For example, it falsely flags the latest Quark 1.19 file as infected when it is not.
Sylv’s shell script here does a bit more fingerprint matching for the malware, and should be more precise.
As a non-technical user, your best course of action is to check if your system was affected using the above steps, remediating if necessary, and refraining from downloading anything from CurseForge or dev.bukkit.org until further notice.
