Infected Minecraft Mods Spread Malware via CurseForge and Bukkit
In a recent development, CurseForge, a widely used platform that provides plugin software for Minecraft, is advising users to halt any mod downloads or updates immediately. This comes after the discovery that malware has been injected into dozens of mods offered online through the platform. The mod-developer accounts were hosted by CurseForge and Bukkit.org, another developer platform run by CurseForge, which is also suspected to be affected.
The malware, known as Fracturiser, has been infecting Windows and Linux systems. It was discovered that several CurseForge and dev.bukkit.org accounts were compromised, and the malicious software was injected into copies of many popular plugins and mods. Some of these malicious copies have been detected in popular modpacks, such as Better Minecraft. Reports suggest that the compromises have been active for weeks, with signs of the malicious plugin/mod JARs as early as mid-April.
Among the mods listed as affected are
- Dungeons Arise.
- Sky Villages.
- Better MC modpack series.
- Dungeonz.
- Skyblock Core.
- Vault Integrations.
- AutoBroadcast.
- Museum Curator Advanced.
- Vault Integrations Bug fix.
- Create Infernal Expansion Plus (this mod has been removed from CurseForge.
The malware operates in stages, with Stage 0 initiated once an infected mod is run. Each stage downloads files from a command-and-control server and then prompts the next stage. The final stage, believed to be Stage 3, creates folders and scripts, modifies the system registry, and performs several malicious actions:
- Propagation to all JAR files on the filesystem, potentially infecting other mods that weren’t downloaded from CurseForge or BukkitDev
- Stealing cookies and login information for multiple web browsers
- Replacement of cryptocurrency addresses in the clipboard with alternate ones
- Theft of Discord, Microsoft, and Minecraft credentials.
As of now, only four of the major antivirus engines detect Fracturiser. Users can manually check their systems for signs of infection by looking for certain files.
In response to the breach, CurseForge officials stated that a malicious user created several accounts and uploaded projects containing malware to the platform. In addition, a user belonging to mod developer Luna Pixel Studios was hacked and the account was used to upload similar malware.
CurseForge is currently working to ensure the platform remains a safe place to download and share mods. In an online interview, an official with Luna Pixel Studio detailed how a malicious mod was installed from the latest updated section in the CurseForge Launcher. The mod was tested for potential inclusion in a new Modpack update but was removed after it was found to be unsuitable. However, by that time, the malware had already started its process, leading to further complications.
CurseForge has issued its own tool to detect infections, but the efficacy of this tool remains unclear at this time. Despite isolating the incident and releasing a malware detection tool to help those affected, the platform has urged users not to delete the CurseForge client but to avoid updating or downloading new mods for the time being. The scale of the malware distribution could be substantial given the platform’s popularity, particularly among younger Minecraft players. CurseForge is working to mitigate the damage and users are advised to avoid updating their Minecraft mods via CurseForge until they’ve given the all-clear.