So let’s say you’re at your favorite modding site and you want to grab a Minecraft mod you go ahead you do a search and you download the one you want what you don’t realize however is that your awesome mod is the first part of a three-stage payload that deploys an Infostealer to your computer that’s going to hack into your Discord account steal all your login passwords saved in the browser download other malware and keep running every time your computer starts up oh wait you’re on Linux you say malware only works on Windows right well not in this case because it’s Actually platform independent it’s going to work on Linux because let’s remember this is a Java file and Java is a cross-platform solution it goes through the jvm so it doesn’t matter whether your windows on Linux of course the damage may be contained if it’s not a Root account but it is going to work on Linux the best way to check if you’ve been affected by this malware which is called fracturizer is to look for persistence mechanisms using auto run so if you’ve got CIS internals you can obviously open that up go through your System Auto runs and see if you’ve got something called lib web GL 64 or pretty much any unknown Java executable that’s starting up with your system if that’s the case you want to disable it right away you should also change all your passwords as if you’re compromised they Have likely stolen the passwords that have been cached in your browser and your accounts could be hacked at any time if they’re not already you can also look for this main payload executable which is HR file in your Microsoft Edge directory in Local app data it is likely Going to be hidden so you’re going to have to make hidden files visible first it’s also going to be in startup or in the registry under current version run and we’re actually going to go through the files in the VM and you’ll see references to all of these so the first Thing is going to be the mod that you download this is going to be stage one of the payload let’s see if it’s detected by engines and vars total well only 25 detections and that is because again this is not any XC file it’s not Even a dll file it is a jar file and while antivirus companies have been developing Technologies to look into Exes in many different ways lots of analysis tools for that there isn’t as much for dealing with Java files however a lot of the main ones do detect it by Now so Kaspersky bid Defender Of course f-secure they’ve all got it Microsoft as well but this is just the primer the real deal is going to happen at the second stage when your computer runs this Trojan downloader Java file now each of these are Java runtime files but They do different things so this one is a Trojan downloader and if we open it up and do some static analysis inside you will see what’s going on here so we’ve got all of these different files but if we go under the utility class now of Course we can’t read through all of this but if we go ahead and do a control F and we search for references to URLs search directional search oh we’ve got quite a few references here and let’s try to trace what it’s actually doing so if we double click here we’ve got URL And then https files Dash 8 IE dot Pages dot Dev that looks like a suspicious website so I’m just going to copy that and we’re going to go ahead and try to visit that in our VM of course now this site seems to have been taken down which means the Malware is no longer going to activate if I actually run the sample but if we do a search on vars total you can see that this page is actually detected by 10 engines so this was likely the primary malware deployment Source but let’s go back into our code and try to See what else we’ve got here so if I do a control F and look for references to Startup there’s the start menu program startup that’s a very traditional way of adding something to Startup is via the start menu startup programs and then we’ve likely got the reference to the file Itself which as you can see is in Local app data Microsoft Edge lib webgl64.jar so this is why you need to check if you’ve got this file in this location because that is how the malware knows what to add to Startup so the file name is going to be consistent for Everyone because this is hard coded so you want to do a search on your system make sure you don’t have this now I believe it also introduces a registry key somewhere and there we go add H Key current user software Microsoft Windows current version run so this is another Way to deploy a persistence mechanism so that every time you start your computer the malware is going to activate so as you can see the second part of this program tells most of the heavy lifting it’s setting up the payload downloading it likely from the attacker CNC creating the persistence mechanism for the Malware to execute and now we’re going to look at stage 3 which is the actual malware sample you know what I’m feeling lucky let’s go ahead and run it it’s only 7.49 kilobytes because again like I said the actual Trojan downloader has already set everything up at this point So when we run it Windows Firewall actually starts blocking certain network access for this file which is great now the issue of course with Windows Firewall is if you’re used to playing games you see this warning a lot and since this is a mod for a game after all Let’s say you’re launching your Minecraft the payload launches with it and get this prompt you’re probably going to allow it because you’re just so conditioned so we’re going to allow access of course you shouldn’t do that now if we open up process Explorer you can see that we now have a Java Application running and it is likely trying to scrape all of our credentials from our safe browsers so another other useful tip here never save your passwords in the browser use a password manager use bit Warden whatever because a lot of malware once it has access to Your system is going to be able to decrypt that personally I just disabled that password saving feature when it first pops up so there you have it that’s kind of the synopsis of the fracturizer malware that’s been going around on Minecraft mods and I think it’s important to look at this incident Because it’s not the first time that game mods have been used to propagate malware it’s likely going to be one of the most important propagation methods going forward because let’s be honest in what other use case are you most likely to go and download unverified code from Other users it’s likely going to be game mods but if you do use those on a regular basis you should consider protecting your system well and do exercise some caution when you’re downloading such files it is also worth noting that most malware these days is going to have an infos dealer component So if you do get compromised it’s important to check all your accounts set your password try to recover your account if it’s already been hacked sometimes there may be a time delay before them getting the credentials and them hacking your account because if they’ve got a thousand credentials They’re not going to be able to use all of them immediately so if you’re lucky your account may never get hacked if you just change your password immediately please like and share this video if you’ve enjoyed it found it informative thank you so much for watching and now To our sponsors this video is brought to you by crowdsack a free open source intrusion prevention system the project is on GitHub so you can check it out today and install it on your favorite Linux box I’ve already set it up on Ubuntu and it’s super simple and easy to Use crowdsick allows you to ingest alerts from various sources parse through the logs and build your own intrusion detection system you can set up custom rules leverage the community Blacklist and automate your entire security process so if you’re an individual or company looking to monitor alerts from various different sources This is a great tool to do it you can also deploy an agent on Windows which is current currently in Alpha once you have it set up you’re going to look at the crowdset console this is going to show you a bird’s eye view of all your agent Scenarios and alerts you’ve also got access to cyber threat intelligence so this is where you can look up any kind of Ip that you like so just going to paste malicious IP here and if we do a search it’s going to give us the confidence level and the various actions Associated with it so as you can see this one is flagged as a bad actor the attack details show it’s an HTTP scanner and crawler you can see the reporting period and can also make a comments it’s very much Community Driven and while some parts of the project are still in Development still in beta this is a great time to jump in and start playing around with the tools getting involved with the projects so check them out Link in the description show them some love for supporting the PC security Channel this is Leo thank you so much for Watching and as always stay informed stay secure Video Information
This video, titled ‘Minecraft Mod Malware’, was uploaded by The PC Security Channel on 2023-06-18 18:31:23. It has garnered views and [vid_likes] likes. The duration of the video is or seconds.
Malware Minecraft Mods on CurseForge named Fractureiser steals your login credentials from browsers in a three step java .jar …