Dozens Of Popular Minecraft Mods Found Infected With Fracturiser Malware
A platform that offers add-ons for the hugely popular game Minecraft is advising users to stop downloading or updating mods immediately after discovering that dozens of offers available online have been infiltrated with malware.
The mod developer account is hosted by CurseForge, a platform that hosts accounts and forums about add-on software called mods or plugins that expand the capabilities of the standalone Minecraft game. Some of the malicious files used in the attack date from mid-April, suggesting the compromised accounts had been active for weeks. Bukkit.org, the developer platform powered by CurseForge, was also reportedly affected.
Cracker infecting Windows and Linux systems
"A number of Curseforge and dev.bukkit.org accounts (not the Bukkit software itself) have been compromised and malware has been planted in copies of many popular plugins and mods," players wrote on the dedicated discussion forum.event. “Several of these malicious copies have been packaged into popular modpacks, including Better Minecraft. There have been reports of malicious JAR plugins/mods since early April.
Officials at Prism Launcher, makers of the open-source Minecraft launcher, described the infection as "widespread" and listed the following mods as affected:
CurseForge:
- The dungeon is coming
- Heavenly City
- The best MC modpack series
- basement, cellar
- Sky Block Core
- vault integration
- automatic transmission
- Advanced Museum Curator
- Vault integration bug fixes
- Removed Create Infernal Expansion Plus mod from CurseForge
Hill:
- Displays the entity editor
- The elytra of the sky
- Nexus special event entity editor
- Easy Harvest
- MC Bounties
- Simple food made to order
- Support for Bungeecord anti-spam commands
- Final leveling
- Impact resistant stone
- hydration
- Fragment Authorization Plugin
- No VPNs
- The latest title is RGB Gradient Animations
- swing damage
Participants who posted on the forum said that the malware used in the attack called Fracturer worked on both Windows and Linux systems. Delivery is gradual, starting with phase 0, which begins as soon as someone runs one of the infected mods. Each stage downloads files from the command and control server and then invokes the next stage. Stage 3, presumably the last stage in the series, creates files and scripts, makes registry changes, and continues to do the following:
- It spreads to all JAR (Java Archive) files in the file system and allows Fracturiser to infect other mods not downloaded from CurseForge or BukkitDev
- Stealing cookies and credentials for various web browsers
- Replace the cryptocurrency address on the clipboard with an alternative
- Steal Discord credentials
- Steal your Microsoft and Minecraft credentials
According to malware examples posted here and here on VirusTotal, as of 10:45 am CA time, only four major antivirus engines detected Fracturiser. Forum participants say that people who want to manually check their systems for signs of infection should look out for the following:
- Linux :
~/.config/.data/lib.jar - Windows :
%LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar(or~\AppData\Local\Microsoft Edge\libWebGL64.jar)- Make sure the scan shows hidden files
- Yes, Microsoft Edge with spaces. MicrosoftEdge is the legal dictionary used by Edge today.
- Also check the registry for entries in
HKEY_CURRENT_USER:\Software\Microsoft\Windows\CurrentVersion\Run - Or link to
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup
- All other operating systems : not affected. The malware is only coded for Windows and Linux. It is possible that in the future it will receive updates that will increase the load on other operating systems.
The people investigating the incident have provided a script here to make it easier to check these files. CurseForge provides decontamination instructions here.
Taking to social media, CurseForge officials claim that “attackers create multiple accounts and upload projects containing malware to the platform.” The official further said that a user of mod developer Luna Pixel Studios was also hacked and the account was used to upload similar malware.
In an official CurseForge update posted on the Discord channel, they wrote:
- Attackers create multiple accounts and upload projects containing malware to the platform
- Additionally, a Luna Pixel Studios (LPS) user was hacked and used to upload similar malware
- We banned all related accounts and also disabled LPS. We are in direct contact with the LPS team to help them restore access
- We go through ALL new projects and files to ensure your safety. Of course , we support the process of approving all new files until this issue is resolved
- Removing the CF client is not a recommended solution as it does not solve the problem and prevents us from implementing the fix. We're working on a tool to help you make sure you're not affected by any of these issues. In the meantime, check out the information posted under #recent-issues.
- This is ONLY relevant for Minecraft users
- To be clear : CurseForge is not compromised! No administrator accounts were hacked.
We are working to ensure the platform remains a safe place to download and share mods. Thank you to all the authors and users who helped us with the highlighting. Thank you for your cooperation and patience ❤️
In an online interview, a Luna Pixel Studio employee wrote:
Basically, our modpack developer installs evil mods from the latest updated section of Curseforge Launcher. He wanted to test if adding a new modpack update was worthwhile and since it was approved by Curseforge it was ignored. When the modpack was released it wasn't something we wanted so we removed it but by then it was too late and the malware had already started at level 0.
Everything seemed fine until the next day, from the LunaPixelStudios account, the Curses project started uploading files and then archiving them. We received this simply because a user requested a changelog for one of the mods, but we never updated it, so we checked. From then on we have been in contact with many people who are doing a great job trying to prevent this from happening. Most don't seem to be affected, but a malicious mod originating from Match 2023 has been reportedly spotted.
This is a groundbreaking story. More details will be added in the warranty.
