A platform that provides plugin software for the wildly popular Minecraft game is advising users to immediately stop downloading or updating mods after discovering malware has been injected into dozens of offerings it makes available online.
The mod-developer accounts were hosted by CurseForge, a platform that hosts accounts and forums related to add-on software known as mods or plugins, which extend the capabilities of the standalone Minecraft game. Some of the malicious files used in the attack date back to mid-April, a sign that the account compromises have been active for weeks. Bukkit.org, a developer platform run by CurseForge, is also believed to be affected.
Fracturiser infecting Windows and Linux systems
“A number of Curseforge and dev.bukkit.org (not the Bukkit software itself) accounts were compromised, and malicious software was injected into copies of many popular plugins and mods,” gamers wrote in a forum dedicated to discussing the event. “Some of these malicious copies have been injected into popular modpacks including Better Minecraft. There are reports of malicious plugin/mod JARs as early as mid-April.”
Officials with Prism Launcher, maker of an open source Minecraft launcher, described the infections as “widespread” and listed the following mods as affected:
CurseForge:
- Dungeons Arise
- Sky Villages
- Better MC modpack series
- Dungeonz
- Skyblock Core
- Vault Integrations
- AutoBroadcast
- Museum Curator Advanced
- Vault Integrations Bug fix
- Create Infernal Expansion Plus - Mod removed from CurseForge
Bukkit:
- Display Entity Editor
- Haven Elytra
- The Nexus Event Custom Entity Editor
- Simple Harvesting
- MCBounties
- Easy Custom Foods
- Anti Command Spam Bungeecord Support
- Ultimate Leveling
- Anti Redstone Crash
- Hydration
- Fragment Permission Plugin
- No VPNS
- Ultimate Titles Animations Gradient RGB
- Floating Damage
Participants posting in the forum said the malware used in the attack, dubbed Fracturiser, runs on Windows and Linux systems. It’s delivered in stages that are initiated by Stage 0, which begins once someone runs one of the infected mods. Each stage downloads files from a command-and-control server and then calls for the next stage. Stage 3, believed to be the final stage in the sequence, creates folders and scripts, makes changes to the system registry, and goes on to perform the following: