Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

June 9 Update:

The oldest sample we were able to track until now (e69b50d1d58056fc770c88c514af9a82) shows the malware during its early development stage. Dated 2023-04-12, it looks like a Stage 2 sample with the C&C address set to 127.0.0.1, which leads us to believe that it was used for testing. It also includes limited functionality that currently is available in Stage 3 samples (only listening for OS commands (executed with  exec) ), which reinforces our assumption that the malware was in development at that time.

We also noticed that the Java package was named differently back in April ( dev.sirlennox.nekoclient  instead of  dev.neko.nekoclient).

We also identified several executables (NekoInstaller/NekoService), as described below:

  • NekoInstaller contains a Portable Executable file named NekoServices; at execution it drops the executable file in  C:Program FilesnekoserviceServiceHost.exe  and adds it as a service named  NekoService  to run;
  • NekoService contains a JAR file as a resource; it will download a JRE and run the JAR file; the JAR file is then dropped in  C:Program Filesnekoserviceservice.jar
  • the JAR file seems to be a Stage 2 sample
  • the MZ header compilation time for most of these samples ranges between 2023-04-20 18:20:06 and 2023-05-01 22:17:25, and just one sample was identified to be compiled on 2023-05-21 07:58:12, which means that the malware was in development in that timeframe.
  • Based on this evidence, it seems that the attackers initially planned to distribute EXE files rather than JAR ones, but we were unable to assess whether the EXE files have been disseminated in the wild or not.

Initial article:

Several Minecraft mods and plugins hosted on the CurseForge and Bukkit modding communities have been tainted with a multi-stage, multi-platform infostealer malware called Fractureiser, a preliminary investigation shows.

Several CurseForge and Bukkit accounts have been compromised and used to publish malware-rigged updates of mods and plugins without the knowledge of the original author. These mods have trickled downstream into popular modpacks that have been downloaded several million times to date.

The malware has 4 stages, labeled 0 through 3. Stage 0 is considered the modified mod or plugin to include obfuscated code that connects to http://85.217.144.130:8080/dl to download the Stage 1 malware.

The Stage 1 malware comes in the form of a dl.jar file with a SHA-1 sum of dc43c4685c3f47808ac207d1667cc1eb915b2d82. The Stage 1 malware includes a mutex to prevent it from running multiple times, and it seems responsible for infecting other JAR files, establishing persistence and contacting the command and control server in preparation of Stage 2 deployment.

Stage 2 (lib.jar or libWebGL64.jar) acts as a downloader and updater for the final payload in Stage 3.

Stage 3 brings the final payload, in the form of a jar file that includes a native binary named hook.dll. Hook.dll is exposing two functionalities that are called from Java code: retrieveClipboardFiles – to retrieve file descriptors from the clipboard, used for the virtual machine escape technique (detailed below), as well as retrieveMSACredentials to retrieve Microsoft Live credentials.

What we know so far

The first sample apparently dates all the way back to April 24th 2023 in the form of a Stage 0 malware with the 0e583c572ad823330b9e34d871fcc2df hash. The first JAR (Java Archive) file lacks many of the features currently in the malware.

The malware currently affects Linux and Windows Minecraft installs and attempts to inject itself into all other eligible .jar files on the system, including those that are not part of a Minecraft mod. The malware has a complex logic to determine whether a .jar file is a candidate for infection. Upon modification of the file, the infection code also disables code signing for Java files by removing the META-INF/CERTIFIC.RSA, META-INF/CERTIFIC.EC, META-INF/CERT.SF and META-INF/CERTIFIC.SF

The malware monitors the clipboard for crypto-currency wallet addresses, then swaps them with the attacker’s to hijack transactions. It also steals Minecraft and Discord authentication tokens, as well as cookies and login data stored in the most popular browsers.

During our analysis, we identified interesting behavior we believe is aimed at mod or plugin developers. It looks like the Stage 3 malware targets Windows Sandbox instances used for testing mods by monitoring and constantly poisoning the clipboard in an attempt to infect the host. This behavior is isolated to Windows Sandbox, as it is the only virtualization environment that allows alteration of the host clipboard contents when the virtual machine is running in the background.

We were able to confirm that dozens of mods and plugins have been rigged with the malware. The affected mods are listed in the Indicators of Compromise section below.

The overwhelming majority of victims are in the US. We are monitoring the individual components of this malware and will update the threat distribution accordingly.

Mitigation

Bitdefender identifies the malicious code in all stages of execution as Trojan.Java.Fractureiser.*. If you have downloaded any of the infected mods in recent months or have any concern about the integrity of your .jar files, run a deep scan with your favorite security solution such as Bitdefender Total Security.

Indicators of compromise

Files

SHA-1 Detection
2db855a7f40c015f8c9ca7cbab69e1f1aafa210b Trojan.Java.Fractureiser.B, Java.Trojan.Agent.NY
a4b6385d1140c111549d95eab25cb51922eefba2 Trojan.Java.Fractureiser.C
b0752dcf01d56f420cb084c84b641b9c132e8a73 Trojan.Java.Fractureiser.D
282adb0edc52ce955932de48ef06df36e1050ada Trojan.Java.Fractureiser.L, Java.Trojan.Agent.NY
c55c3e9d6a4355f36b0710ab189d5131a290df26 Trojan.Java.Fractureiser.G
33677ca0e4c565b1f34baa74a79c09a3b690bf41 Trojan.Java.Fractureiser.H
284a4449e58868036b2bafdfb5a210fd0480ef4a Trojan.Java.Fractureiser.J, Java.Trojan.Agent.NY
32536577d5bb074abd493ad98dc12ccc86f30172 Trojan.Java.Fractureiser.K, Java.Trojan.Agent.NZ
0C6576BDC6D1B92D581C18F3A150905AD97FA080 Java.Trojan.Agent.NY
dc43c4685c3f47808ac207d1667cc1eb915b2d82 Trojan.Java.Fractureiser.I
52d08736543a240b0cbbbf2da03691ae525bb119 Trojan.Java.Fractureiser.E, Java.Trojan.Agent.NX
6ec85c8112c25abe4a71998eb32480d266408863 Trojan.Java.Fractureiser.F, Java.Trojan.Agent.NX
e50eadd3293e35e60e89d1914bbc67ab597c8721 Trojan.Java.Fractureiser.S, Java.Trojan.Agent.OC
c2d0c87a1fe99e3c44a52c48d8bcf65a67b3e9a5 Trojan.Java.Fractureiser.M, Java.Trojan.Agent.OA
e299bf5a025f5c3fff45d017c3c2f467fa599915 Trojan.Java.Fractureiser.N, Java.Trojan.Agent.OB
2de8f42871213f17771be2943e5f9da3b0a94ad2 Trojan.Java.Fractureiser.A

URLs:

URLClassLoader – http://85.217.144.130:8080/dl
New C2C – 107.189.3.101
Stage2  C2 interrogation – https://files-8ie.pages.dev:8083/ip
Possibly new C2C – connect.skyrage.de

Infected mods and plugins:

Removed Mods:

https://www.curseforge.com/minecraft/mc-mods/create-infernal-expansion-plus

Current Mods:

  • https://www.curseforge.com/minecraft/mc-mods/museum-curator-advanced
  • https://www.curseforge.com/minecraft/mc-mods/vault-integrations-bug-fix
  • https://www.curseforge.com/minecraft/mc-mods/autobroadcast

Current Plugins:

  • https://www.curseforge.com/minecraft/bukkit-plugins/display-entity-editor
  • https://www.curseforge.com/minecraft/bukkit-plugins/the-nexus-event-custom-events
  • https://www.curseforge.com/minecraft/bukkit-plugins/simpleharvesting
  • https://www.curseforge.com/minecraft/bukkit-plugins/mcbounties
  • https://www.curseforge.com/minecraft/bukkit-plugins/easy-custom-foods
  • https://www.curseforge.com/minecraft/bukkit-plugins/havenelytra
  • https://www.curseforge.com/minecraft/bukkit-plugins/anticommandspam-bungeecord-support
  • https://www.curseforge.com/minecraft/bukkit-plugins/ultimateleveling
  • https://www.curseforge.com/minecraft/bukkit-plugins/antiredstonecrash-ntd
  • https://www.curseforge.com/minecraft/bukkit-plugins/hydration
  • https://www.curseforge.com/minecraft/bukkit-plugins/fragment-permission-plugin
  • https://www.curseforge.com/minecraft/bukkit-plugins/novpns
  • https://www.curseforge.com/minecraft/bukkit-plugins/ultimatetitles-titles-animations-gradient-rgb

Others

  • https://dev.bukkit.org/projects/floating-damage
  • https://www.curseforge.com/minecraft/mc-mods/skyblock-core/files/4570565
  • https://legacy.curseforge.com/minecraft/mc-mods/dungeonx/files/4551100
  • https://dev.bukkit.org/projects/havenelytra/files/4551105
  • https://legacy.curseforge.com/minecraft/bukkitplugins/havenelytra/files/4551105
  • https://www.curseforge.com/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590
  • https://www.curseforge.com/minecraft/mc-mods/autobroadcast/files/4567257
  • https://www.curseforge.com/minecraft/mc-mods/museum-curator-advanced/files/4553353
  • https://www.curseforge.com/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590
  • https://dev.bukkit.org/projects/floating-damage
  • https://www.curseforge.com/minecraft/bukkit-plugins/display-entity-editor/files/4570122

Source: Original Post


“An interesting youtube video that may be related to the article above”