Minecraft Users Warned of Malware Targeting Modpacks

Written by

Minecraft gamers have been warned about a rapidly spreading multi-stage malware campaign targeting modpacks and plugins.

In a high alert warning posted at 18.00 BST on June 8, cybersecurity firm Bitdefender provided details on how infostealer malware named ‘Fractureiser’ is targeting users of the popular cross-platform game.

The researchers said that several CurseForge and Bukkit accounts have been compromised and used to publish malware-rigged updates of mods and plugins without the original author’s knowledge. These mods have then been included in popular modpacks “that have been downloaded several million times to date.”

Mods are user-created add-ons that extend the gameplay, collections of which are put together and configured in the form of modpacks. CurseForge and Bukkit are two of the largest Minecraft mod repositories.

Read more: Hackers, Fraudsters and Thieves - Understanding Cybersecurity in the Gaming Industry

The Fractureiser malware is downloaded in four stages, labelled zero through to three. Stage three brings the final payload in the form of a JAR file that includes a native binary named hook.dll.

It currently affects Linux and Windows Minecraft installs, and attempts to propagate itself to all JAR files on the system, including those that are not part of a Minecraft mod.

Upon modification of the file, the malware can target victims in a range of ways. Firstly, it can hijack cryptocurrency transactions by swapping wallet addresses with the attackers. Fractureiser can also steal cookies and user credentials from web browsers and exfiltrate authentication tokens for Discord, Microsoft and Minecraft.

Bitdefender highlighted “interesting behavior we believe is aimed at mod or plugin developers.” This is because stage three malware targets Windows Sandbox, the only virtualization environment that allows alteration of the host clipboard contents when the virtual machine is running in the background.

“We were able to confirm that dozens of mods and plugins have been rigged with the malware,” read the alert, adding “the overwhelming majority of victims are in the US.”

The company listed affected mods in its indicators of compromise section, and urged users who downloaded the infected mods to scan their JAR files.

Image credit: KateV28 /Shutterstock.com

What’s hot on Infosecurity Magazine?