Eyyyy, how’s it going folks? So, there was a little oopsie happening recently on the CurseForge, where a bunch of popular mods and modpacks received malicious updates. As new malware that has been dubbed “fractureiser” took spread, many different communities rushed to alert their users of the danger, without looking into what was actually happening. Which led to some misreporting and a bunch of innacurate information being spread. In this video, we’ll try to get a clear view of the situation, and answer the following questions: 1. What ACTUALLY happened? 2. Are you at risk of being infected? And 3. What should you do, if anything. So let’s dive right in. To answer the first question, let’s look at one of the earliest announcements related to this incident. This is posted on Legacy Modding Discord server, but chances are you have seen this exact text elsewhere, Sky Villages, and the Better MC modpack series. The CurseForge profiles of these accounts show someone logging into them directly. It is very likely that someone has access to several large CurseForge profiles, and have found a way of bypassing 2FA to log into them.” The post then goes into some very fragmented evidence regarding the whole case, some technical details, and ways in which you can detect whether your system has been infected, which is something we’ll talk about extensively a bit later. Around the same time Prism Launcher have posted an update on their website, which reads: “!ALERT! Security vulnerability in the CurseForge platform Multiple groups are reporting CurseForge as compromised. Malware has been uploaded in various projects and it may be a security vulnerability in the CurseForge platform. We recommend not downloading or updating any mods from CurseForge at the moment, And we will update you all with the latest news as more information becomes available.” And then they show some Discord posts from Luna Pixel Studios which detail what happened to them specifically. As you may have noticed, I’m showing this to you on a Wayback Machine – And that’s because the article was updated since to reflect some additional information. But if you happened to be one if its early readers, like I was, you could’ve got an impression that the whole CurseForge platform was compromised, and the impact was absolutely devastating. But fear not, because that’s absolutely not what happened. You see, even back then, try as I might – I could not find any evidence of large accounts other than that of Luna Pixel Studios being compromised. The only bit of information suggesting that was this post from the author of Fabuously- …from the author of Fabuo- …from the author of Fabuosly Optim- Ah, **** it. *drops headset* *leaves chair* *walks away* …this post from the author of Fabulously Optimized modpack, which mentions CurseForge launcher trying to download some unidentified mod as part of modpack update. Suspicious as that may seem, the launcher couldn’t actually download the mod, And the whole thing looked a lot more like a bug in the launcher itself. This would later be confirmed by another announcement from the author of Fabulously Optimized. By the way, this author is someone I know and collaborate with on my No Chat Reports mod, And trust me – you can trust that guy. The first bit of clarity in this sea of chaos comes with the announcement from the CurseForge themselves, which reads as following: “Hey everyone, we would like to address the current situation that is ongoing and highlight some important points: – A malicious user has created several accounts and uploaded projects containing malware to the platform; – Separately a user belonging to Luna Pixel Studios (LPS) was hacked and was used to upload similar malware; – We have banned all accounts relevant to this and disabled the LPS one as well. We are in direct contact with the LPS team to help them restore their access; – We are in the process of going through ALL new projects and files to guarantee your safety. We are of course holding the approval process of all new files until this is resolved; – Deleting your CF client isn’t a recommended solution and it will not solve the issue and will prevent us from deploying a fix. We are working on a tool to help you make sure you weren’t exposed to any of this; – And to be clear the CurseForge is not compromised! No admin account was hacked.” Now, I may not trust CurseForge just by default, but this announcement was fairly consistent with the information I was able to gather independently up until that point. You see, all this time I was looking to get my hands on as many samples of infected mod files as possible. And although I was going out of my way to find them, it was actually really difficult. The majority of infected files were already removed from the platform, and new ones just… weren’t popping up. Suggesting that CurseForge indeed managed to put the situation under control. Good job, CurseForge!.. …for once. To really understand the impact, it’s important to understand how the LPS account got compromised in the first place. Luckily, Luna Pixel Studios came forward with another announcement detailing how that happened. So let’s read it: “To clear up the misinformation regarding how the Luna Pixel Studios account was infected, I will lay out exactly what happened: – Sharkie, the studio’s owner, downloaded a mod named DungeonX directly from the CurseForge website. This mod was one of about 20 across CurseForge and Bukkit that included this malicious code; – He ran Minecraft with the mod installed; – Every Minecraft-related jar file on his laptop was infected with the virus, and all of his passwords were stolen, including the Luna Pixel Studios account. – The hacker logged into the LPS account and uploaded malicious files which included this code. A majority of these files, including all modpack files, were archived by the hacker for unknown reasons. This means that modpacks were safe during this time, and likely always have been. When the alarms were raised within our developer channels, I immediately contacted everyone I could to get this information spread.” So, based on everything we have seen so far – the conclusions are fairly simple. There is no evidence to suggest that more than one large CurseForge account was compromised, The one that got compromised was because its owner downloaded a malicious mod themselves. All other malicious mods seem to have originated from accounts that were specifically made to upload malware to the platform. Also worth mentioning that the host that infected mods tried to connect to in order to deploy the main payload Has been taken down after an abuse report. So even if you were to run a Minecraft client with one of them now – they wouldn’t really do anything. Aaaand just as I was finishing up the narration for this video, another announcement from the CurseForge came out, Informing us that the situation has been mostly taken care of, and answering some common questions people still have. And it happens to be one of those rare instances where I share their optimism. Because again, the reaction has been very swift, And they seem to have taken every action on their side required to efficiently resolve this. Of course, there’s a whole another discussion to be had here about efficiency of CurseForge’s review and approval process for new projects, as well as security of Minecraft modding ecosystem as a whole. But the reality is that the actual impact of this particular malware outbreak is fairly limited, and chances are – you never even came close to downloading one of those infected mods. So, no need to panic. In case you want to be 100% sure that your computer is safe – good news for you! Because with the help of the community CurseForge managed to design a detection tool that can help you figure out whether or not your machine has been infected. They also have a dedicated article on their website explaining how to use it, and what to do if it turns out your machine is indeed compromised. I’ll link both this article and the download of their tool in the description. Now, if you are more technically inclined like I am – you are probably not so much concerned about your safety as just interested in the functional capabilities of the malware in question. Those are fairly standard as far as malware goes: stealing cookies, hijacking cryptowallets, stealing account credentials from browsers and Discord clients… The only really interesting part is one of the ways it tries to put roots into the compromised system, which is by infecting everything that looks like a Minecraft mod file. If you’re interested to know more – there’s a wonderful article on hackmd.io which goes into details behind an ongoing investigation and reverse-engineering effort related to this malware. If you’re willing to do some reverse-engineering yourself – I’d love to just give you direct link to some malware samples… But unfortunately I can’t, because YouTube. But you can reach out to the team behind that hackmd article via the email in the article itself, or join #cfmalware network on esper.net, again, stuff in the description. Aaaand… that’s about it. I feel like this video should answer 99% of the questions you could have had about this whole happening, But if you have any left – feel free to ask in the comments. Again, it’s true that this incident gives us something to consider about the security of Minecraft modding ecosystem as a whole, and some of the particular platforms it is heavily reliant on. But the root causes of these issues are very fundamental and there’s no simple solution to them. So I feel like this topic is better left for a whole another video, which I may or may not make. Stay safe, and I hope we shall meet once more. Video Information
This video, titled ‘Minecraft Malware OUTBREAK! What happened and what to do?’, was uploaded by Aizistral on 2023-06-09 12:08:00. It has garnered 5698 views and 405 likes. The duration of the video is 00:09:30 or 570 seconds.
Following the recent malware outbreak across CurseForge and some other modding-related platforms, I have made this video to shed objective light on current situation, as well as inform you what actions you can take to ensure your computer is not infected.
TIMESTAMPS: 00:00 Intro 00:39 Figuring out what happened 07:34 How to ensure you’re not infected? 07:58 Technical details and reverse-engineering 08:56 Epilogue
CurseForge article about their detection tool: https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool/ Detection tool itself: https://github.com/overwolf/detection-tool/releases/tag/0.0.2 Prism Launcher article: https://prismlauncher.org/news/cf-compromised-alert/ hackmd.io article dedicated to community-driven investigation and reverse-engineering effort of Fractureiser: https://hackmd.io/@jaskarth4/B1gaTOaU2#Stage3-clientjar There’s also a GitHub repository dedicated to it: https://github.com/fractureiser-investigation/fractureiser You can join #cfmalware network on https://esper.net to to become involved with that effort yourself.