Dozens of popular MODs of Minecraft turned out to be infected with malware 'Fractureiser'
by
It has been discovered that dozens of mods available on the internet contain malware called Fractureiser , and the platforms that provide them are urging users to stop downloading and updating mods immediately.
THIS DOC IS OLD, WE HAVE MOVED AGAIN - HackMD
https://hackmd.io/B46EYzKXSfWSF35DeCZz9A
Prism Launcher - [MALWARE WARNING] 'fractureiser' malware in many popular Minecraft mods and modpacks
https://prismlauncher.org/news/cf-compromised-alert/
GitHub - fractureiser-investigation/fractureiser: Information about the fractureiser malware
https://github.com/fractureiser-investigation/fractureiser
New Fractureiser malware used CurseForge Minecraft mods to infect Windows, Linux
https://www.bleepingcomputer.com/news/security/new-fractureiser-malware-used-curseforge-minecraft-mods-to-infect-windows-linux/
We are looking into an incident where a malicious user uploaded projects to the platform. This is relevant only to Minecraft users and we have banned all accounts involved.
— CurseForge (@CurseForge) June 7, 2023
CurseForge itself is not compromised in any way! Please follow the thread below for more information ????
Fractureiser is malware found in projects uploaded to mod and plugin distribution platforms CurseForge and CraftBukkit. The attack targets are Windows and Linux systems, and the origin of the name is the account name that uploaded the malicious file with CurseForge.
Fractureiser attacks in four stages. First, Fractureiser runs a malicious function embedded in the mod, downloading a file called 'dl.jar' and running it as a new utility class . At this time, it will check whether Java is installed on the machine, and if it is not installed, it will be installed automatically.
Once this dl.jar is executed, Fractureiser obtains the IP address of the attacker's
Once executed, the malicious file can steal cookies and account credentials stored in web browsers, replace cryptocurrency wallet addresses copied to the clipboard, and steal Microsoft, Minecraft, and Discord account information. It is said that there is damage such as stealing. Additionally, Fractureiser propagates by injecting malicious functions into all JAR files on the filesystem, as well as creating shortcuts to run scripts on Windows startup.
Mods and plug-ins that have been confirmed to be affected by Fractureiser at the time of article creation are as follows.
・Curse Forge
Dungeons Arise
Sky Villages
Better MC modpack series
Fabulously Optimized (Found to not be compromised)
Dungeons
Skyblock Core
Vault Integrations
AutoBroadcast
Museum Curator Advanced
Vault Integrations bug fixes
Create Infernal Expansion Plus - Mod removed from CurseForge
・Craft Bukkit
Display Entity Editor
Haven Elytra
The Nexus Event Custom Entity Editor
Simple harvesting
MC Bounties
Easy Custom Foods
Anti Command Spam Bungee Cord Support
Ultimate Leveling
Anti Redstone Crash
Hydration
Fragment Permission Plugin
No VPNS
Ultimate Titles Animations Gradient RGB
Floating damage
Some MOD files containing malicious functions have been confirmed since mid-April 2023. It is said that players who have downloaded the above mods and plugins in the past three weeks are affected, but it is unknown how widespread Fractureiser infection actually is.
According to hacker forum HackMD, volunteers have already contacted Mojang, the developer of Minecraft, and plan to distribute detection software to various MOD loader development teams, including CurseForge.
In addition, the official website of Prism Launcher, a Minecraft MOD launcher, has compiled a script that checks whether a file containing a malicious function exists on the system.
Prism Launcher - [MALWARE WARNING] 'fractureiser' malware in many popular Minecraft mods and modpacks
https://prismlauncher.org/news/cf-compromised-alert/#automated-script
Related Posts:
