Infected Minecraft mods lead to multi-stage, multi-platform infostealer malware
Several Minecraft mods and plugins hosted on the CurseForge and Bukkit modding communities have been tainted with a multi-stage, multi-platform infostealer malware called Fractureiser, a preliminary investigation shows.
Several CurseForge and Bukkit accounts have been compromised and used to publish malware-rigged updates of mods and plugins without the knowledge of the original author. These mods have trickled downstream into popular modpacks that have been downloaded several million times to date.
The malware has 4 stages, labeled 0 through 3. Stage 0 is considered the modified mod or plugin to include obfuscated code that connects to http://[126.96.36.199:8080]/dl to download the Stage 1 malware.
The Stage 1 malware comes in the form of a dl.jar file with a SHA-1 sum of dc43c4685c3f47808ac207d1667cc1eb915b2d82. The Stage 1 malware includes a mutex to prevent it from running multiple times, and it seems responsible for infecting other JAR files, establishing persistence and contacting the command and control server in preparation of Stage 2 deployment.
Stage 2 (lib.jar or libWebGL64.jar) acts as a downloader and updater for the final payload in Stage 3.
Stage 3 brings the final payload, in the form of a jar file that includes a native binary named hook.dll. Hook.dll is exposing two functionalities that are called from Java code:
retrieveClipboardFiles – to retrieve file descriptors from the clipboard, used for the virtual machine escape technique (detailed below), as well as retrieveMSACredentials to retrieve Microsoft Live credentials.
What we know so far
- The first sample apparently dates all the way back to April 24th 2023 in the form of a Stage 0 malware with the 0e583c572ad823330b9e34d871fcc2df hash. The first JAR (Java Archive) file lacks many of the features currently in the malware.
- The malware currently affects Linux and Windows Minecraft installs and attempts to inject itself into all other eligible .jar files on the system, including those that are not part of a Minecraft mod. The malware has a complex logic to determine whether a .jar file is a candidate for infection. Upon modification of the file, the infection code also disables code signing for Java files by removing the
- The malware monitors the clipboard for crypto-currency wallet addresses, then swaps them with the attacker’s to hijack transactions. It also steals Minecraft and Discord authentication tokens, as well as cookies and login data stored in the most popular browsers.
- During our analysis, we identified interesting behavior we believe is aimed at mod or plugin developers. It looks like the Stage 3 malware targets Windows Sandbox instances used for testing mods by monitoring and constantly poisoning the clipboard in an attempt to infect the host. This behavior is isolated to Windows Sandbox, as it is the only virtualization environment that allows alteration of the host clipboard contents when the virtual machine is running in the background.
- We were able to confirm that dozens of mods and plugins have been rigged with the malware. The affected mods are listed in the Indicators of Compromise section below.
- The overwhelming majority of victims are in the US. We are monitoring the individual components of this malware and will update the threat distribution accordingly.
Bitdefender identifies the malicious code in all stages of execution as Trojan.Java.Fractureiser.*. If you have downloaded any of the infected mods in recent months or have any concern about the integrity of your .jar files, run a deep scan with your favorite security solution such as Bitdefender Total Security.
Indicators of compromise
|Display Entity Editor
|Museum Curator Advanced
|Vault Integrations / Vault Integrations Bug fix
URLClassLoader – http://188.8.131.52:8080/dl
New C2C – 184.108.40.206
Stage2 C2 interrogation – https://[files-8ie.pages.dev]:8083/ip
Possibly new C2C – connect[.]skyrage[.]de
Infected mods and plugins:
See more: How to keep your passwords SAFE