Accounts on popular Minecraft modding platforms were compromised in a pseudo-supply chain hack.

There are some fresh reasons to be wary of game modder sites.

Fractureiser in the wild.

Minecraft mods were discovered to contain malware called Fractureiser in a pseudo-supply chain attack (pseudo because the affected mods are not advertised as supported media by Minecraft–it’s an attack on the modder supply chain). Bitdefender released a report describing this attack, explaining that several Minecraft mods hosted on popular modding hubs Curseforge and Bukkit contained malware which caused accounts to be compromised and “used to publish malware-rigged updates of mods and plugins without the knowledge of the original author. These mods have trickled downstream into popular modpacks that have been downloaded several million times to date.” 

As BleepingComputer reports “Several CurseForge and Bukkit accounts were compromised and used to inject malicious code into plugins and mods, which were then adopted by popular modpacks such as 'Better Minecraft,' which has over 4.6 million downloads.” BleepingComputer further notes that the infected updates were archived, but nonetheless sent out to users, to remain undetected for as long as possible. This attack has a similar ring to it as the recent MOVEit and C3X supply chain attacks, as the attackers targeted developers upstream of their intended victims. This allows them to reach a much wider target base than, say, targeting each user on CurseForge and Bukkit individually.

Malware campaign as defined in stages. 

Researchers at Bitdefender observed the first appearance of the malware campaign on April 24th, in what they are calling stage 0 of the attack. The researchers separate the campaign into four stages explaining that “Stage 0 is considered the modified mod or plugin to include obfuscated code that connects to [a malicious http] to download the Stage 1 malware.” Bitdefender further describes stage 1 is meant to gain persistence on the infected machine, and Stage 2 is meant to act as “a downloader and updater for the final payload in Stage 3. Stage 3 brings the final payload, in the form of a jar file that includes a native binary named hook.dll. Hook.dll is exposing two functionalities that are called from Java code: retrieveClipboardFiles - to retrieve file descriptors from the clipboard, used for the virtual machine escape technique (detailed below), as well as retrieveMSACredentials to retrieve Microsoft Live credentials.”

The infostealer goes after crypto-wallet addresses, and targets mod and plugin developers.

The purpose of the malware is to act as an infostealer which monitors the victim’s clipboard for crypto wallet addresses and swaps them for the attacker’s address. “It also steals Minecraft and Discord authentication tokens, as well as cookies and login data stored in the most popular browsers,” write researchers. Interestingly, Bit defender writes that “We identified interesting behavior we believe is aimed at mod or plugin developers. It looks like the Stage 3 malware targets Windows Sandbox instances used for testing mods by monitoring and constantly poisoning the clipboard in an attempt to infect the host. This behavior is isolated to Windows Sandbox, as it is the only virtualization environment that allows alteration of the host clipboard contents when the virtual machine is running in the background.”

Known infected mods and plugins.

Bitdefender and BleepingComputer have published lists of the infected mods and plugins and they are as follows:

CurseForge:

• Dungeons Arise
• Sky Villages
• Better MC modpack series
• Fabuously Optimized (Found to not be compromised)
• Dungeonz
• Skyblock Core
• Vault Integrations
• AutoBroadcast
• Museum Curator Advanced
• Vault Integrations Bug fix
• Create Infernal Expansion Plus - Mod removed from CurseForge

Bukkit:

• Display Entity Editor
• Haven Elytra
• The Nexus Event Custom Entity Editor
• Simple Harvesting
• MCBounties
• Easy Custom Foods
• Anti Command Spam Bungeecord Support
• Ultimate Leveling
• Anti Redstone Crash
• Hydration
• Fragment Permission Plugin
• No VPNS
• Ultimate Titles Animations Gradient RGB
• Floating Damage

For a full list of infected mods, please see the “Infected mods and plugins” section of Bitdefender’s report.