Dozens Of Popular Minecraft Mods Found Infected With Fracturiser Malware
The platform, which offers plugins for the hugely popular game Minecraft , is advising users to stop downloading or updating mods immediately after discovering that dozens of available listings have been infected with online malware.
Mod developer accounts are hosted on CurseForge, a platform that hosts accounts and forums related to additional software, called mods or plugins, that enhance the experience of a single Minecraft game. Some of the malicious files used in the attack date back to mid-April, indicating that the account breach had been active for several weeks. Bukkit.org, CurseForge's development platform, will also be affected.
Frakturier infects Windows and Linux systems
"Several Curseforge and dev.bukkit.org accounts (not the Bukkit software itself) have been compromised and malware has been injected into copies of many popular plugins and mods," the players wrote in a forum post dedicated to the discussion. event. "Some of these malicious copies have been placed in popular mod packs, including Better Minecraft. In mid-April, malicious plugin/mod JAR files were reported.
Officials from Prism Launcher, maker of the open source Minecraft launcher, described the infection as "widespread" and listed the following mods as affected:
A Curse:
- Dungeons appear
- sky city
- The best Modpack MC series
- jail
- the core of the celestial block
- Storage integration
- Automatic transmission
- Advanced Museum Curator
- Troubleshooting Vault integration
- Removed the Create Infernal Plus Set mod from CurseForge.
Set of books:
- Show the entity editor
- Port of Elytra
- Nexus custom event entity editor
- Easy harvest
- Press MS
- Simple personalized products
- Elastic cord holder for command and spam protection
- Final update
- The Fall of Redstone
- hydration
- Plugin for snippet permissions
- No VPN
- Gradient RGB Animation Final Titles
- flood damage
Participants who posted on the forum stated that the malware used in the attack, called Fracture, works on Windows and Linux systems. The spread occurs in stages, initiated by stage 0, which begins as soon as someone drives one of the infected mods. Each stage downloads files from the command and control server and then calls the next stage. Step 3, probably the last step in the sequence, creates folders and scripts, makes changes to the registry, and then runs:
- It propagates to all JAR files (Java archives) in the file system and potentially allows Fracture to infect other mods not downloaded by CurseForge or BukkitDev.
- Steal cookies and credentials for multiple web browsers
- Replace cryptocurrency addresses from clipboard with alternate addresses
- Steal Discord ID
- Steal Microsoft and Minecraft IDs
According to malware samples posted here and here on VirusTotal, as of 10:45 AM CA time, only four major antivirus engines are detecting Breach. Forum members said that people who want to manually check their systems for signs of infection should look for the following:
- Linux :
~/.config/.data/lib.jar - Windows :
%LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar(or~\AppData\Local\Microsoft Edge\libWebGL64.jar)- Make sure the scan shows hidden files
- Yes, Microsoft Edge with a space. Microsoft Edge is the legitimate directory used by the real Edge.
- Also check the registry for an entry in
HKEY_CURRENT_USER:\Software\Microsoft\Windows\CurrentVersion\Run - Or a link to
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup
- All other operating systems : Unaffected. The malware is only written for Windows and Linux. Maybe in the future it will get an update that will add loads for other operating systems.
The people investigating the incident have provided scripts here to help find these files. CurseForge provides a decontamination guide here.
Speaking on social media, CurseForge representatives stated that "an attacker created several accounts and uploaded projects containing malware to the platform." Officials also said that a user of mod developer Luna Pixel Studios was also hacked and his account was used to download similar malware.
In an update that CurseForge officials sent out via the Discord channel, they wrote:
- The attacker created multiple accounts and uploaded projects containing malware to the platform.
- Additionally, a Luna Pixel Studios (LPS) user was hacked and used to download similar malware.
- As a result, we have suspended all affected accounts and also disabled the LPS account. We are in direct contact with the LPS team to help them regain access
- We review ALL new projects and files to ensure your safety. Of course , we maintain an approval process for all new files until the issue is resolved.
- Removing the CF client is not the recommended solution as it will not resolve the issue and will not prevent us from providing a solution. We are working on a tool that you don't hear about. In the meantime, pay attention to the information posted in the #current-sues section.
- This is ONLY relevant for Minecraft users
- To be clear : CurseForge is not compromised! No admin account has been hacked.
We are committed to ensuring that the platform remains a safe place to upload and share mods. Thanks to all authors and users who help us dig. Thank you for your cooperation and patience ❤️
In an online interview, an official from Luna Pixel Studio wrote:
Basically, our modpack developer installed a malicious mod from the last updated section in the Curseforge launcher. He wanted to see if it was worth adding a new modpack update, but since it was approved by Curseforge, it was ignored. After running the modpack we didn't need it so we removed it but by then it was too late and the malware had already started at level 0.
Everything seemed to be going well, until the next day projects on Curseforge from LunaPixelStudios accounts started uploading files and then burning them. We first became aware of this because a user requested a changelog for one of the mods, but we never updated it, so we checked it out. From there, we contacted a lot of people who did a great job of stopping this. In general, few people are interested in this, but it is believed that malicious mods were discovered in 2023.
This is a revolutionary story. Additional details will be added as needed.
