Dozens of popular Minecraft mods found infected with Fracturiser malware

A platform that provides plugin software for the wildly popular Minecraft game is advising users to immediately stop downloading or updating mods after discovering malware has been injected into dozens of offerings it makes available online.

The mod-developer accounts were hosted by CurseForge, a platform that hosts accounts and forums related to add-on software known as mods or plugins, which extend the capabilities of the standalone Minecraft game. Some of the malicious files used in the attack date back to mid-April, a sign that the account compromises have been active for weeks. Bukkit.org, a developer platform run by CurseForge, is also believed to be affected.

Fracturiser infecting Windows and Linux systems

“A number of Curseforge and dev.bukkit.org (not the Bukkit software itself) accounts were compromised, and malicious software was injected into copies of many popular plugins and mods,” gamers wrote in a forum dedicated to discussing the event. “Some of these malicious copies have been injected into popular modpacks including Better Minecraft. There are reports of malicious plugin/mod JARs as early as mid-April.”

Officials with Prism Launcher, maker of an open source Minecraft launcher, described the infections as “widespread” and listed the following mods as affected:

CurseForge:

• Dungeons Arise
• Sky Villages
• Better MC modpack series
• Dungeonz
• Skyblock Core
• Vault Integrations
• AutoBroadcast
• Museum Curator Advanced
• Vault Integrations Bug fix
• Create Infernal Expansion Plus - Mod removed from CurseForge

Bukkit:

• Display Entity Editor
• Haven Elytra
• The Nexus Event Custom Entity Editor
• Simple Harvesting
• MCBounties
• Easy Custom Foods
• Anti Command Spam Bungeecord Support
• Ultimate Leveling
• Anti Redstone Crash
• Hydration
• Fragment Permission Plugin
• No VPNS
• Ultimate Titles Animations Gradient RGB
• Floating Damage

Participants posting in the forum said the malware used in the attack, dubbed Fracturiser, runs on Windows and Linux systems. It’s delivered in stages that are initiated by Stage 0, which begins once someone runs one of the infected mods. Each stage downloads files from a command-and-control server and then calls for the next stage. Stage 3, believed to be the final stage in the sequence, creates folders and scripts, makes changes to the system registry, and goes on to perform the following:

• Propagate itself to all JAR (Java archive) files on the filesystem, possibly allowing Fracturiser to infect other mods that weren’t downloaded from CurseForge or BukkitDev
• Steal cookies and login information for multiple Web browsers
• Replace cryptocurrency addresses in the clipboard with alternate ones
• Steal Discord credentials
• Steal Microsoft and Minecraft credentials

As of 10:45 California time, only four of the major antivirus engines detect Fracturiser, according to samples of the malware posted to VirusTotal here and here. Forum participants said that people who want to manually check their systems for signs of infection should look for the following:

• Linux: ~/.config/.data/lib.jar
• Windows: %LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar (or ~\AppData\Local\Microsoft Edge\libWebGL64.jar)
  • Make sure to show hidden files when checking
  • Yes, “Microsoft Edge” with a space. MicrosoftEdge is the legitimate directory used by actual Edge.
  • Also check the registry for an entry at HKEY_CURRENT_USER:\Software\Microsoft\Windows\CurrentVersion\Run
  • Or a shortcut in %appdata%\Microsoft\Windows\Start Menu\Programs\Startup
• All other OSes: Unaffected. The malware is hardcoded for Windows and Linux only. It is possible it will receive an update adding payloads for other OSes in the future.

People investigating the incident have made scripts available here to help check for these files. CurseForge has disinfection guidance here.

On social media, CurseForge officials said that a "malicious user has created several accounts and uploaded projects containing malware to the platform." The officials went on to say that a user belonging to mod developer Luna Pixel Studios was also hacked and the account was used to upload similar malware.

In an update CurseForge officials sent over a Discord channel, they wrote:

• A malicious user has created several accounts and uploaded projects containing malware to the platform
• Separately a user belonging to Luna Pixel Studios (LPS) was hacked and was used to upload similar malware
• We have banned all accounts relevant to this and disabled the LPS one as well. We are in direct contact with the LPS team to help them restore their access
• We are in the process of going through ALL new projects and files to guarantee your safety. We are of course holding the approval process of all new files until this is resolved
• Deleting your CF client isn’t a recommended solution as it will not solve the issue and will prevent us from deploying a fix. We are working on a tool to help you make sure you weren’t exposed to any of this. In the meantime refer to information published in #current-issues.
• This is relevant ONLY to Minecraft users
• To be clear CurseForge is not compromised! No admin account was hacked.

We are working on this to make sure the platform remains a safe place to download and share mods. Thank you to all authors and users who help us with highlighting, we appreciate your cooperation and patience ❤️

In an online interview, an official with Luna Pixel Studio wrote: