Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

June 9 Update:

The oldest sample we were able to track until now (e69b50d1d58056fc770c88c514af9a82) shows the malware during its early development stage. Dated 2023-04-12, it looks like a Stage 2 sample with the C&C address set to 127.0.0.1, which leads us to believe that it was used for testing. It also includes limited functionality that currently is available in Stage 3 samples (only listening for OS commands (executed with  exec) ), which reinforces our assumption that the malware was in development at that time.

We also noticed that the Java package was named differently back in April ( dev.sirlennox.nekoclient  instead of  dev.neko.nekoclient).

We also identified several executables (NekoInstaller/NekoService), as described below:

• NekoInstaller contains a Portable Executable file named NekoServices; at execution it drops the executable file in  C:Program FilesnekoserviceServiceHost.exe  and adds it as a service named  NekoService  to run;
• NekoService contains a JAR file as a resource; it will download a JRE and run the JAR file; the JAR file is then dropped in  C:Program Filesnekoserviceservice.jar
• the JAR file seems to be a Stage 2 sample
• the MZ header compilation time for most of these samples ranges between 2023-04-20 18:20:06 and 2023-05-01 22:17:25, and just one sample was identified to be compiled on 2023-05-21 07:58:12, which means that the malware was in development in that timeframe.
• Based on this evidence, it seems that the attackers initially planned to distribute EXE files rather than JAR ones, but we were unable to assess whether the EXE files have been disseminated in the wild or not.

Initial article:

Several Minecraft mods and plugins hosted on the CurseForge and Bukkit modding communities have been tainted with a multi-stage, multi-platform infostealer malware called Fractureiser, a preliminary investigation shows.

Several CurseForge and Bukkit accounts have been compromised and used to publish malware-rigged updates of mods and plugins without the knowledge of the original author. These mods have trickled downstream into popular modpacks that have been downloaded several million times to date.

The malware has 4 stages, labeled 0 through 3. Stage 0 is considered the modified mod or plugin to include obfuscated code that connects to http://85.217.144.130:8080/dl to download the Stage 1 malware.

The Stage 1 malware comes in the form of a dl.jar file with a SHA-1 sum of dc43c4685c3f47808ac207d1667cc1eb915b2d82. The Stage 1 malware includes a mutex to prevent it from running multiple times, and it seems responsible for infecting other JAR files, establishing persistence and contacting the command and control server in preparation of Stage 2 deployment.

Stage 2 (lib.jar or libWebGL64.jar) acts as a downloader and updater for the final payload in Stage 3.

Stage 3 brings the final payload, in the form of a jar file that includes a native binary named hook.dll. Hook.dll is exposing two functionalities that are called from Java code: retrieveClipboardFiles – to retrieve file descriptors from the clipboard, used for the virtual machine escape technique (detailed below), as well as retrieveMSACredentials to retrieve Microsoft Live credentials.

What we know so far

The first sample apparently dates all the way back to April 24th 2023 in the form of a Stage 0 malware with the 0e583c572ad823330b9e34d871fcc2df hash. The first JAR (Java Archive) file lacks many of the features currently in the malware.

The malware currently affects Linux and Windows Minecraft installs and attempts to inject itself into all other eligible .jar files on the system, including those that are not part of a Minecraft mod. The malware has a complex logic to determine whether a .jar file is a candidate for infection. Upon modification of the file, the infection code also disables code signing for Java files by removing the META-INF/CERTIFIC.RSA, META-INF/CERTIFIC.EC, META-INF/CERT.SF and META-INF/CERTIFIC.SF

The malware monitors the clipboard for crypto-currency wallet addresses, then swaps them with the attacker’s to hijack transactions. It also steals Minecraft and Discord authentication tokens, as well as cookies and login data stored in the most popular browsers.

During our analysis, we identified interesting behavior we believe is aimed at mod or plugin developers. It looks like the Stage 3 malware targets Windows Sandbox instances used for testing mods by monitoring and constantly poisoning the clipboard in an attempt to infect the host. This behavior is isolated to Windows Sandbox, as it is the only virtualization environment that allows alteration of the host clipboard contents when the virtual machine is running in the background.

We were able to confirm that dozens of mods and plugins have been rigged with the malware. The affected mods are listed in the Indicators of Compromise section below.

The overwhelming majority of victims are in the US. We are monitoring the individual components of this malware and will update the threat distribution accordingly.

Mitigation

Bitdefender identifies the malicious code in all stages of execution as Trojan.Java.Fractureiser.*. If you have downloaded any of the infected mods in recent months or have any concern about the integrity of your .jar files, run a deep scan with your favorite security solution such as Bitdefender Total Security.

Indicators of compromise

Files

URLs:

URLClassLoader – http://85.217.144.130:8080/dl
New C2C – 107.189.3.101
Stage2  C2 interrogation – https://files-8ie.pages.dev:8083/ip
Possibly new C2C – connect.skyrage.de

Infected mods and plugins:

Removed Mods:

https://www.curseforge.com/minecraft/mc-mods/create-infernal-expansion-plus

Current Mods:

• https://www.curseforge.com/minecraft/mc-mods/museum-curator-advanced
• https://www.curseforge.com/minecraft/mc-mods/vault-integrations-bug-fix
• https://www.curseforge.com/minecraft/mc-mods/autobroadcast

Current Plugins:

• https://www.curseforge.com/minecraft/bukkit-plugins/display-entity-editor
• https://www.curseforge.com/minecraft/bukkit-plugins/the-nexus-event-custom-events
• https://www.curseforge.com/minecraft/bukkit-plugins/simpleharvesting
• https://www.curseforge.com/minecraft/bukkit-plugins/mcbounties
• https://www.curseforge.com/minecraft/bukkit-plugins/easy-custom-foods
• https://www.curseforge.com/minecraft/bukkit-plugins/havenelytra
• https://www.curseforge.com/minecraft/bukkit-plugins/anticommandspam-bungeecord-support
• https://www.curseforge.com/minecraft/bukkit-plugins/ultimateleveling
• https://www.curseforge.com/minecraft/bukkit-plugins/antiredstonecrash-ntd
• https://www.curseforge.com/minecraft/bukkit-plugins/hydration
• https://www.curseforge.com/minecraft/bukkit-plugins/fragment-permission-plugin
• https://www.curseforge.com/minecraft/bukkit-plugins/novpns
• https://www.curseforge.com/minecraft/bukkit-plugins/ultimatetitles-titles-animations-gradient-rgb

Others

• https://dev.bukkit.org/projects/floating-damage
• https://www.curseforge.com/minecraft/mc-mods/skyblock-core/files/4570565
• https://legacy.curseforge.com/minecraft/mc-mods/dungeonx/files/4551100
• https://dev.bukkit.org/projects/havenelytra/files/4551105
• https://legacy.curseforge.com/minecraft/bukkitplugins/havenelytra/files/4551105
• https://www.curseforge.com/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590
• https://www.curseforge.com/minecraft/mc-mods/autobroadcast/files/4567257
• https://www.curseforge.com/minecraft/mc-mods/museum-curator-advanced/files/4553353
• https://www.curseforge.com/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590
• https://dev.bukkit.org/projects/floating-damage
• https://www.curseforge.com/minecraft/bukkit-plugins/display-entity-editor/files/4570122

Source: Original Post

“An interesting youtube video that may be related to the article above”