Fractureiser
This article may be unbalanced towards certain viewpoints. |
Fractureiser Logo | |
| Infection vector | Minecraft mods (.jar) |
|---|---|
| Author(s) | Fractureiser |
| Operating system(s) affected | Windows |
Fractureiser is a self-updating computer virus that broadly targets Java programs with a focus on Minecraft modifications. The virus was named after the user that uploaded the initial malicious mods and plugins to websites CurseForge and CraftBukkit.
Delivery and infection
Fractureiser is spread through .jar files. When an infected file is executed, the virus embeds itself onto all .jar files on the host's system. When these JAR files are unknowingly distributed, downloaded, and executed on another machine, that machine will be infected.
Payload
Fractureiser runs in three stages, each stage downloading and running the next:
- Stage 0: This is used to refer to the malicious code embedded into .jar files.
- Stage 1: Whenever an infected mod file is executed, a separate file named "dl.jar" is saved to memory and executed. The first thing Stage 1 checks for is if a property named "neko.run" is present on the system. If so, the virus will not run. If not, the virus will create this property in order to prevent it from running multiple times.
- Stage 2: Whenever dl.jar is executed, another file named "libWebGL64.jar" is downloaded. The file is saved in the "Microsoft Edge" folder of the machine's local app data. However, this is a different folder from the legitimate "MicrosoftEdge" folder. The computer's operating system is told to execute Stage 2 upon startup.
- Stage 3: Whenever libWebGL64.jar is executed, the final file named "client.jar" is downloaded and executed. This is the payload of the virus, and upon execution, embeds Fractureiser into all .jar files found on the system, substitutes any cryptocurrency wallets in the clipboard with one owned by the attacker, and steals login details, including any passwords saved to the browser, Discord authentication tokens, and Microsoft login details.
Prevention
Detector Tool of CurseForge
Exactly on June 7, 2023, CurseForge shared a Detector Tool for checking the malware on the systems for users whose systems are affected or have doubts about downloaded or updated Files.[1]
As the Detector shows the malware[citation needed], there is a folder called "Microsoft Edge" (the real folder name of Microsoft Edge is "MicrosoftEdge")[citation needed] on the Local folder of the System which contains malware.[2]
The Fractureiser Mitigation Team Meeting
On June 8, 2023, the Fractureiser Mitigation Team held a Meeting to "Discuss preventive measures and solutions for future problems of Malware".[3] Some of the most important topics the Team discussed are: [4]
- Current Investigation Status
- "We have a good idea how Fractureiser works, from Stages 0 to 3. There are certain unknowns, but the attack servers are offline, and to our knowledge, new infections are not possible. Old infections may still be active."
- Reproducible Builds
- Mods Downloading External Files
- "Mods that download external files which contain executable code are vulnerable to a supply chain attack."
- Code Signing
- "Binary artifacts released to mod repos should be signed by their author."
- Sandboxing
- "Sandboxing the Minecraft process is another defense strategy that can be used to limit the blast radius of attacks coming from malicious mod code."
Behavior
Summary of Fractureiser Mitigation Meeting
Fractureiser is a novel self-replicating virus that infects Bukkit plugins, Forge Mods, Fabric Mods, and vanilla Minecraft jars. Infected jars, upon being loaded, will run as normal, but silently download a series of payloads that steal login tokens, stored browser passwords/payment information, and cryptocurrency. After a computer has been infected, every applicable jar file on the compromised system will be infected such that if they are shared and run on another computer, the infection will spread. Compromised Curseforge login tokens were used to gain access to large mod projects and distribute infected jars to users.[4]
Stage-3
The Stage-3 of this Malware is capable of stealing information including Passwords, payment info, and Cookies and is also capable of stealing Microsoft Minecraft accounts and more information saved on Browser applications which makes increase Fractureiser virality. Also, Stage-3 is capable of spreading stage-zero to every JAR file in the System to perpetrate and grow itself with special logic to target Minecraft Mods and Plugins additionally.[5]
References
- ↑ "Discord - A New Way to Chat with Friends & Communities". Discord.
- ↑ "June 2023 - Infected mods detection tool". CurseForge Support.
- ↑ "fractureiser-investigation/fractureiser". July 3, 2023 – via GitHub.
- ↑ 4.0 4.1 "Fractureiser Mitigation Meeting 2023-06-08". July 3, 2023 – via GitHub.
- ↑ "Fractureiser Mitigation Meeting June 8th, 2023" – via www.youtube.com.
This article "Fractureiser" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Fractureiser. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.
