[MALWARE WARNING] "fractureiser" malware in many popular Minecraft mods and modpacks

For a full summary, check out this GitHub repository: https://github.com/fractureiser-investigation/fractureiser

Starting June 6th, 2023 UTC, multiple groups reported many CurseForge and Bukkit projects as compromised. Malware was been uploaded to several projects and it's now known that the virus was self-replicating and spreading. Since then, both Modrinth and Curseforge have stated all infected files have been removed or they were unaffected. It should be safe to use these services now, however users should still take caution in downloading files, especially from less trustworthy services.

Table of contents:

What can I do? #

As of June 8th, 2023 UTC, Windows Defender has started detecting some jars infected with stage 0, along with files from stage 2 (specifically libWebGL64.jar). You should make you have the latest security intelligence updates from Microsoft by going to settings and running Windows Update. To confirm, go to Windows Defender, click "Virus and Threat Protection," scroll down to "Virus and Threat Protection Updates," and press "Protection Updates." It should say the last update was today and the version was created on June 9th, 2023. This will help reduce any damage or further infection caused by jars containing fractureiser.

It is still recommended to read the following steps if you haven't already run a scan or are suspicious of a mod you have downloaded. It is still possible infected jars are on your system, as currently the detection done by Windows Defender for stage 0 files can be inconsistent.

Checking Mods #

When downloading mods and plugins you may be suspicious of, douira's Fractureiser Web Scanner can be used to detect if they are infected.

Finding out if you have already been infected #

Fractureiser drops multiple files on your system. These steps may be used to see if an infected mod has already been run:

Manual Check #

When checking if you are infected, make sure to make hidden files visible and for windows also disable Hide protected operating system files, for your respective platform.

Stage 1 of the malware attempts to drop a file into the following locations:

• Linux:

  • Locate it in systemd-utility.service in ~/.config/systemd/user or /etc/systemd/system/ and lib.jar in ~/.config/.data and check SystemCTL for any changes

• Windows: %LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar (or ~\AppData\Local\Microsoft Edge\libWebGL64.jar)

  • Yes, "Microsoft Edge" with a space
  • Also check the registry for an entry at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
  • Or a shortcut in %appdata%\Microsoft\Windows\Start Menu\Programs\Startup
  • If the file cannot be deleted due to being open in the "Open JDK Binary" you can use https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns to see what applications are on start-up and disable/remove the start up rule for "libWebGL64.jar"
  • Another solution is to delete java so it cannot run in the Java Runtime Environment, and then you can delete the jar by locating it in in %localappdata%\Microsoft Edge and an entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Run or a shortcut in %appdata%\Microsoft\Windows\Start Menu\Programs\Startup

• All other OSes: Unaffected. The malware is hardcoded for Windows and Linux only. It is possible it will receive an update adding payloads for other OSes in the future.

Before downloading, the malware will create the enclosing directory if it does not exist. Windows/MS Edge does not use the "Microsoft Edge"-with-a-space directory, and Linux software likely does not use ~/.config/.data, so these folders existing may be a sign that stage1 has executed on a victim computer.

If stage2 successfully downloads, it will attempt to make itself start on boot by modifying the Windows registry, or dropping a systemd unit into /etc/systemd. (The Linux side of this payload is unlikely to work as it requires root privileges.)

Automated Script #

$appData = "$HOME\AppData"
$edgePath = "$appData\Local\Microsoft Edge"

$badPaths = @(
        "$edgePath\.ref",
        "$edgePath\client.jar"
        "$edgePath\lib.dll",
        "$edgePath\libWebGL64.jar",
        "$edgePath\run.bat",
        "$appData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\run.bat",
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\t"
)

$res = $false

ForEach ($Path in $badPaths) {
        if (Test-Path -Path $Path) {
                Write-Host "bad file found! removing $Path..."
                Remove-Item -Force $Path
                $res = $true
        }
}

if (!($res)) {
                Write-Host "nothing found! :)"
}

Read-Host -Prompt "press any button to exit"

#!/usr/bin/env bash

service_file="systemd-utility.service"
data_dir="$HOME/.config/.data"
bad_paths=(
        "$data_dir/.ref"
        "$data_dir/client.jar"
        "$data_dir/lib.jar"
        "$data_dir/lib.dll"
        "$data_dir/libWebGL64.jar"
        "$data_dir/run.bat"
        "$HOME/.config/systemd/user/$service_file"
        "/etc/systemd/system/$service_file"
)

res="true"
for path in "${bad_paths[@]}"; do
        if [ -f "$path" ]; then
                echo "bad file found! removing $path..."
                rm --force "$path"
                res="false"
        fi
done

if [ "$res" == "true" ]; then
        echo "nothing found :)"
fi

Files were found! What can I do? #

As said before, you should first CHANGE ALL OF YOUR PASSWORDS, as it is possible that the virus extracted all of your browsers saved passwords. You should also use MCRcortex's nekodetector, which will allow you to scan your entire system for other Java files that may try to create these files again.

Who was affected #

According to Luna Pixel Studios, "tens of mods & modpacks, mostly on 1.16.5 1.18.2 and 1.19.2 were updated to include malicious files"

The currently confirmed affected mods and modpacks are as follows:

At this point, we have enough samples to know this was quite widespread.

CurseForge:

• Dungeons Arise
• Sky Villages
• Better MC modpack series
• Fabuously Optimized (Found to not be compromised)
• Dungeonz
• Skyblock Core
• Vault Integrations
• AutoBroadcast
• Museum Curator Advanced
• Vault Integrations Bug fix
• Create Infernal Expansion Plus - Mod removed from CurseForge

Bukkit:

• Display Entity Editor
• Haven Elytra
• The Nexus Event Custom Entity Editor
• Simple Harvesting
• MCBounties
• Easy Custom Foods
• Anti Command Spam Bungeecord Support
• Ultimate Leveling
• Anti Redstone Crash (Not to be confused with "NTD AntiRedstoneCrash")
• Hydration
• Fragment Permission Plugin
• No VPNS
• Ultimate Titles Animations Gradient RGB
• Floating Damage

Luna Pixel Studios has stated its very likely someone has found a way to bypass 2fa and login to multiple large CurseForge profiles. The CurseForge profiles are also showing someone logging into them directly.

What we know about the malware #

Notice: Plugins with similar malware have been found as early as mid-April.

A number of CurseForge and dev.bukkit.org (not the Bukkit software itself) accounts were compromised, and malicious software was injected into many popular plugins and mods. There are reports of malicious plugin/mod JARs as early as May 22nd.

If you have downloaded any mods from CurseForge, or plugins from Bukkit, even through clients such as Prism Launcher or the official CurseForge launcher, it is recommended that you follow the "Am I infected?" guide below.

The affected accounts had two-factor authentication enabled. It's unlikely this is a simple password compromise situation; it may be auth token compromise or something bigger on the CF side. Multiple accounts are affected so we don't believe this is isolated.

We know platforms such as Modrinth to be unaffected.

It has been found that the information this virus steals is highly likely related to microsoft credentials and browser saved passwords. RESET ALL OF YOUR PASSWORDS after you have removed the virus

Distribution #

Some modpacks have had updates published for them without the knowledge of the authors, adding a dependency on malicious mods. These updates were archived immediately after uploading, meaning they do not show on the web UI, only via the API.

We cannot tell if the malicious mods were always malicious, or if they got edited. They have upload dates multiple weeks in the past. A CDN compromise or cache poisoning is not out of the question due to Curse's usage of the extremely outdated and insecure MD5 to verify downloads.

Technical info #

Please find up to date technical information on the fracturiser github - https://github.com/fractureiser-investigation/fractureiser

References #

https://github.com/fractureiser-investigation/fractureiser

Luna Pixel Studios #

DO NOT UPDATE MODS OR MODPACKS ON CURSEFORGE.

Several new files have been uploaded to projects by Luna Pixel Studios, including Sky Villages, When Dungeons Arise, and Better MC. These may or may not include malicious files. We are not responsible for this, and currently doing everything we can to remove these files.

This could be due to a CurseForge bug or someone with access to the Luna Pixel Studios account, or even CurseForge itself.

Currently, it is best to avoid downloading files off CurseForge until this is resolved. I will let you all know when this is resolved.

Thank you.

To clear up some questions:

Any launcher that uses CurseForge API is affected, but you are safe as long as you aren't downloading these files.

Nothing will auto-update unless you specifically told a launcher to do so.

These files are not confirmed to be malicious, but we still recommend doing an antivirus scan using Windows Defender.

Summary:

As of a couple hours ago, tens of mods & modpacks, mostly on 1.16.5, 1.18.2 and 1.19.2 have been updated to include malicious files. These projects include When Dungeons Arise, Sky Villages, and the Better MC modpack series. The CurseForge profile of these accounts show someone logging into them directly.

It is very likely that someone has access to several large CurseForge profiles and have found a way of bypassing 2FA to log into them.

You can see here that the Fabulously Optimized team was also affected: https://cdn.discordapp.com/attachments/790275974503202857/1115801834746023946/image.png

One of the malicious mods, DungeonsX, shows this code when decompiled: https://cdn.discordapp.com/attachments/790275974503202857/1115801511411335228/image.png

The main payload being sent from this code can be viewed here: https://pastebin.com/k2ZQKbEz

The DungeonsX mod downloads a jar file and loads it into minecraft, executes a function that downloads the program again, and saves it as a self running file. This mod has been added to all of Luna Pixel Studio's modpacks, and the files were immediately archived by the bad actor. It can be assumed that these files will become available again later, exposing hundreds of thousands of people to malware.

This code allows the mod to be used as a botnet and leave a backdoor on devices: https://chorb.is-from.space/DiscordPTB_gzDJsWklzc.png

The code being executed mainly targets Linux users, likely with the intent of infecting servers. This will still affect people on Windows.

The only file from this incident which is not already archived is https://www.curseforge.com/minecraft/mc-mods/skyblock-core/files/4570565.
This file was archived, but gained 10 downloads in that time, implying it's being shared on other platforms: https://cdn.discordapp.com/attachments/856652644113580072/1115811476591095908/image.png

It is recommended to hold off on updating any mods or modpacks until this is resolved. #

The Iris Project #

We have reason to believe many accounts on CurseForge have been hacked and are uploading malicious files containing bot-nets. Luna Pixel Studios, the owner of many big modpacks, is one of the affected accounts.
The situation is being actively looked into.

• Next: FTB Modpack Downloading Removal.
• Previous: [SECURITY UPDATE] Prism Launcher Release 6.3, now available