Dangerous malware has been found in Minecraft mods downloaded from a number of popular gaming sites. Let's talk about what we know so far.
{toc}
Information has appeared in gaming communities that many Minecraft mods downloaded from CurseForge and dev.bukkit.org have been infected with unknown malware. Conventionally, he was called a Fractureiser. Players are advised not to temporarily download new .jar files from these resources, and if they have installed something recently, check their computer with an antivirus program. Users of the game for Windows and Linux are at risk (other operating systems seem to be unaffected).
How did malware get into mods?
According to the initial version, the developer accounts on CurseForge.com and dev.bukkit.org were compromised. This allowed unknown attackers to inject their malicious code into some mods.
However, the developers of the Prism Launcher utility believe that we can talk about exploiting a vulnerability in the Overwolf platform. They also posted a list of mods where Fractureiser was seen.
What is Fractureiser malware and what does it do?
According to enthusiasts, after installing a compromised mod and launching the game, the malicious code accesses a remote server and downloads an additional malicious load, which immediately starts creating directories and scripts, as well as making changes to the system registry in order to launch the malware when the computer is restarted.
Independent researchers claim that in the final stage of infection, the malware tries to spread the infection to all .jar files found on the system (probably trying to get to the mods that were downloaded earlier). In addition, the malware can steal cookies and credentials from a number of browsers, as well as spoof crypto wallet addresses in the clipboard.
Signs of infection with the Fractureiser malware
The participants in the discussion on Reddit came to the conclusion that the presence of the libWebGL64.jar file on it, which the malware creates in the %LOCALAPPDATA%/Microsoft Edge/ or /AppData/Local/Microsoft Edge/ folder, can be considered an indicator of infection of a Windows computer. To be able to see these files, you need to select the option "Show hidden files, folders, and drives" in the "Folder Options" menu, and also disable "Hide protected system files".
How to stay safe?
If you play Minecraft and use third-party modifications, then the first thing it makes sense to check your computer with a reliable antivirus program. If malware is detected during scanning, all passwords used on this machine for online resources should be changed.
We also recommend that you follow the news and do not download new mods for Minecraft until the situation is resolved (and not only directly from the aforementioned sites - you should not install them through third-party software either). Other games, mods, add-ons, and plugins that are distributed in the same way, do not seem to be affected by this attack. However, if the delivery channels of modifications are indeed compromised, then it is possible that attackers will find alternative methods of infection.
In general, all kinds of game modifications are usually developed by enthusiasts and stored on independent platforms. The developers of the games themselves are not responsible for their safety. Therefore, it is better to use mods only on computers with security solutions installed.
So here's a review. I did it for a decent time, and if you liked it, then subscribe to my tg, there are a lot of interesting things coming out every day =)