Infected Minecraft mods lead to multi-stage, multi-platform infostealer malware

Several Minecraft mods and plugins hosted on the CurseForge and Bukkit modding communities have been tainted with a multi-stage, multi-platform infostealer malware called Fractureiser, a preliminary investigation shows.

Several CurseForge and Bukkit accounts have been compromised and used to publish malware-rigged updates of mods and plugins without the knowledge of the original author. These mods have trickled downstream into popular modpacks that have been downloaded several million times to date.

The malware has 4 stages, labeled 0 through 3. Stage 0 is considered the modified mod or plugin to include obfuscated code that connects to http://[85.217.144.130:8080]/dl to download the Stage 1 malware.

The Stage 1 malware comes in the form of a dl.jar file with a SHA-1 sum of dc43c4685c3f47808ac207d1667cc1eb915b2d82. The Stage 1 malware includes a mutex to prevent it from running multiple times, and it seems responsible for infecting other JAR files, establishing persistence and contacting the command and control server in preparation of Stage 2 deployment.

Stage 2 (lib.jar or libWebGL64.jar) acts as a downloader and updater for the final payload in Stage 3.

Stage 3 brings the final payload, in the form of a jar file that includes a native binary named hook.dll. Hook.dll is exposing two functionalities that are called from Java code:

retrieveClipboardFiles – to retrieve file descriptors from the clipboard, used for the virtual machine escape technique (detailed below), as well as retrieveMSACredentials  to retrieve Microsoft Live credentials.

What we know so far

  • The first sample apparently dates all the way back to April 24th 2023 in the form of a Stage 0 malware with the 0e583c572ad823330b9e34d871fcc2df hash. The first JAR (Java Archive) file lacks many of the features currently in the malware.
  • The malware currently affects Linux and Windows Minecraft installs and attempts to inject itself into all other eligible .jar files on the system, including those that are not part of a Minecraft mod. The malware has a complex logic to determine whether a .jar file is a candidate for infection. Upon modification of the file, the infection code also disables code signing for Java files by removing the META-INF/CERTIFIC.RSAMETA-INF/CERTIFIC.ECMETA-INF/CERT.SF and META-INF/CERTIFIC.SF
  • The malware monitors the clipboard for crypto-currency wallet addresses, then swaps them with the attacker’s to hijack transactions. It also steals Minecraft and Discord authentication tokens, as well as cookies and login data stored in the most popular browsers.
  • During our analysis, we identified interesting behavior we believe is aimed at mod or plugin developers. It looks like the Stage 3 malware targets Windows Sandbox instances used for testing mods by monitoring and constantly poisoning the clipboard in an attempt to infect the host. This behavior is isolated to Windows Sandbox, as it is the only virtualization environment that allows alteration of the host clipboard contents when the virtual machine is running in the background.
  • We were able to confirm that dozens of mods and plugins have been rigged with the malware. The affected mods are listed in the Indicators of Compromise section below.
  • The overwhelming majority of victims are in the US. We are monitoring the individual components of this malware and will update the threat distribution accordingly.

Mitigation

Bitdefender identifies the malicious code in all stages of execution as Trojan.Java.Fractureiser.*. If you have downloaded any of the infected mods in recent months or have any concern about the integrity of your .jar files, run a deep scan with your favorite security solution such as Bitdefender Total Security.

Indicators of compromise

Files:

Stage02db855a7f40c015f8c9ca7cbab69e1f1aafa210bTrojan.Java.Fractureiser.B, Java.Trojan.Agent.NYDungeonz
Stage0a4b6385d1140c111549d95eab25cb51922eefba2Trojan.Java.Fractureiser.CDisplay Entity Editor
Stage0b0752dcf01d56f420cb084c84b641b9c132e8a73Trojan.Java.Fractureiser.DFloating Damage
Stage0282adb0edc52ce955932de48ef06df36e1050adaTrojan.Java.Fractureiser.L, Java.Trojan.Agent.NYFrom: https://hackmd.io/5gqXVri5S4ewZcGaCbsJdQ
Stage0c55c3e9d6a4355f36b0710ab189d5131a290df26Trojan.Java.Fractureiser.GAutoBroadcast
Stage033677ca0e4c565b1f34baa74a79c09a3b690bf41Trojan.Java.Fractureiser.HSkyblock Core
Stage0284a4449e58868036b2bafdfb5a210fd0480ef4aTrojan.Java.Fractureiser.J, Java.Trojan.Agent.NYHaven Elytra
Stage032536577d5bb074abd493ad98dc12ccc86f30172Trojan.Java.Fractureiser.K, Java.Trojan.Agent.NZMuseum Curator Advanced
Stage00C6576BDC6D1B92D581C18F3A150905AD97FA080Java.Trojan.Agent.NYVault Integrations / Vault Integrations Bug fix
Stage1dc43c4685c3f47808ac207d1667cc1eb915b2d82Trojan.Java.Fractureiser.I
Stage252d08736543a240b0cbbbf2da03691ae525bb119Trojan.Java.Fractureiser.E, Java.Trojan.Agent.NX
Stage26ec85c8112c25abe4a71998eb32480d266408863Trojan.Java.Fractureiser.F, Java.Trojan.Agent.NX
Stage3c2d0c87a1fe99e3c44a52c48d8bcf65a67b3e9a5Trojan.Java.Fractureiser.M, Java.Trojan.Agent.OA
Stage3e299bf5a025f5c3fff45d017c3c2f467fa599915Trojan.Java.Fractureiser.N, Java.Trojan.Agent.OB
Stage3-Hook.Dll2de8f42871213f17771be2943e5f9da3b0a94ad2Trojan.Java.Fractureiser.A

URLs:

URLClassLoader – http://85.217.144.130:8080/dl   

New C2C – 107.189.3.101     

Stage2 C2 interrogation – https://[files-8ie.pages.dev]:8083/ip      

Possibly new C2C – connect[.]skyrage[.]de   

Infected mods and plugins:

Removed Mods:
https://www.curseforge.com/minecraft/mc-mods/create-infernal-expansion-plus
Current Mods:
https://www.curseforge.com/minecraft/mc-mods/museum-curator-advanced
https://www.curseforge.com/minecraft/mc-mods/vault-integrations-bug-fix
https://www.curseforge.com/minecraft/mc-mods/autobroadcast
Current Plugins:
https://www.curseforge.com/minecraft/bukkit-plugins/display-entity-editor
https://www.curseforge.com/minecraft/bukkit-plugins/the-nexus-event-custom-events
https://www.curseforge.com/minecraft/bukkit-plugins/simpleharvesting
https://www.curseforge.com/minecraft/bukkit-plugins/mcbounties
https://www.curseforge.com/minecraft/bukkit-plugins/easy-custom-foods
https://www.curseforge.com/minecraft/bukkit-plugins/havenelytra
https://www.curseforge.com/minecraft/bukkit-plugins/anticommandspam-bungeecord-support
https://www.curseforge.com/minecraft/bukkit-plugins/ultimateleveling
https://www.curseforge.com/minecraft/bukkit-plugins/antiredstonecrash-ntd
https://www.curseforge.com/minecraft/bukkit-plugins/hydration
https://www.curseforge.com/minecraft/bukkit-plugins/fragment-permission-plugin
https://www.curseforge.com/minecraft/bukkit-plugins/novpns
https://www.curseforge.com/minecraft/bukkit-plugins/ultimatetitles-titles-animations-gradient-rgb
Extra
https://dev.bukkit.org/projects/floating-damage
https://www.curseforge.com/minecraft/mc-mods/skyblock-core/files/4570565
https://legacy.curseforge.com/minecraft/mc-mods/dungeonx/files/4551100
https://dev.bukkit.org/projects/havenelytra/files/4551105
https://legacy.curseforge.com/minecraft/bukkit-plugins/havenelytra/files/4551105
https://www.curseforge.com/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590
https://www.curseforge.com/minecraft/mc-mods/autobroadcast/files/4567257
https://www.curseforge.com/minecraft/mc-mods/museum-curator-advanced/files/4553353
https://www.curseforge.com/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590
https://dev.bukkit.org/projects/floating-damage
https://www.curseforge.com/minecraft/bukkit-plugins/display-entity-editor/files/4570122

See more: How password storage helps your online security

See more: ChatGPT owner nears record 1bn unique users per month

See more: How to keep your passwords SAFE