{"id":21219,"date":"2023-06-07T09:33:26","date_gmt":"2023-06-07T13:33:26","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/curseforge-compromised-fractureiser\/21219\/"},"modified":"2023-06-07T18:01:03","modified_gmt":"2023-06-07T14:01:03","slug":"curseforge-compromised-fractureiser","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/curseforge-compromised-fractureiser\/21219\/","title":{"rendered":"Minecraft players under attack"},"content":{"rendered":"

The gaming community is actively discussing news<\/a> about malware dubbed fractureiser<\/strong>, found in mods for Minecraft. It was downloaded from CurseForge<\/strong> and dev.bukkit.org<\/strong>. Gamers are advised not to download new .jar<\/strong> files from those sites. Anyone who did recently should check their computers with antimalware solutions. The malware affects players of Windows and Linux game versions (looks like users of other OSs are safe).<\/p>\n

How malware got into mods<\/h2>\n

According to the initial hypothesis, unknown cybercriminals compromised mod developers\u2019 accounts on CurseForge.com and dev.bukkit.org<\/a>. This allowed them to place their malicious code into several mods.<\/p>\n

However, Prism Launcher developers suspect<\/a> that someone may have exploited an unknown vulnerability in the Overwolf platform. They also posted a list of the mods<\/a> known to be infected with fractureiser.<\/p>\n

What is fractureiser malware and what does it do?<\/h2>\n

Enthusiasts report<\/a> that after the compromised mod is installed and the game launched, malicious code downloads and executes additional payload from the remote server. This payload begins to create folders and scripts, and makes changes to the system registry in order to run malware after a reboot.<\/p>\n

Independent researchers state that, in the final stage of the attack, the malware tries to spread the infection to all .jar files on the computer (supposedly trying to reach all previously downloaded mods). This malware can also steal cookie files and credentials stored in browsers. Furthermore, it\u2019s capable of switching cryptowallet addresses on the clipboard.<\/p>\n

Fractureiser infection signs<\/h2>\n

Reddit discussion concluded<\/a> that the presence of the libWebGL64.jar file may be considered a definite sign of infection. The malware creates this file in the %LOCALAPPDATA%\/Microsoft Edge\/ or \/AppData\/Local\/Microsoft Edge\/ folder. To find this file you need to go to the \u201cFolder options\u201d menu (via \u201cView\u201d, then \u201cOptions\u201d in Windows File Explorer), and enable the \u201cShow hidden files, folders, and drives\u201d option and disable \u201cHide protected operating system files\u201d setting under the \u201cView\u201d tab.<\/p>\n

How to stay safe?<\/h2>\n

If you play Minecraft and use third-party modifications, then probably the first thing you should do is check your PC with a reliable antivirus software<\/a>. If scanning detects and deletes the malware, it would be a good idea to change all passwords to online resources you accessed from this computer.<\/p>\n

Also, we would advise to follow the news and refrain from installing new mods for Minecraft until the situation is resolved (and we\u2019re talking not only about mods downloaded directly from the aforementioned sites: it would be wise not to install them via third-party software either). Mods, add-ons and plugins for other games that are distributed in the same way don\u2019t seem to be affected by this attack. However, if the delivery channel is indeed compromised, then it\u2019s possible that attackers will find alternative methods of infection and endanger players of other games as well.<\/p>\n

As a general rule, game modifications are developed by enthusiasts and hosted on independent platforms. Therefore, game developers are not responsible for their security and do not guarantee the safety of their use. This, it\u2019s better to download game mods only to computers with security solutions<\/a> installed.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Minecraft mods downloaded from several popular gaming websites contain dangerous malware. What we know so far.<\/p>\n","protected":false},"author":2698,"featured_media":21220,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[617,533,2378,113],"class_list":{"0":"post-21219","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-gamers","9":"tag-linux","10":"tag-minecraft","11":"tag-windows"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/curseforge-compromised-fractureiser\/21219\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/curseforge-compromised-fractureiser\/25778\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/curseforge-compromised-fractureiser\/28472\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/curseforge-compromised-fractureiser\/26077\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/curseforge-compromised-fractureiser\/26404\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/curseforge-compromised-fractureiser\/28887\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/curseforge-compromised-fractureiser\/35519\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/curseforge-compromised-fractureiser\/48388\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/curseforge-compromised-fractureiser\/20695\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/curseforge-compromised-fractureiser\/21391\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/curseforge-compromised-fractureiser\/30228\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/curseforge-compromised-fractureiser\/26391\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/curseforge-compromised-fractureiser\/32087\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/curseforge-compromised-fractureiser\/31770\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/gamers\/","name":"gamers"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2698"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=21219"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21219\/revisions"}],"predecessor-version":[{"id":21222,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21219\/revisions\/21222"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/21220"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=21219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=21219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=21219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}