The gaming community is actively discussing news about malware dubbed fractureiser, found in mods for Minecraft. It was downloaded from CurseForge and dev.bukkit.org. Gamers are advised not to download new .jar files from those sites. Anyone who did recently should check their computers with antimalware solutions. The malware affects players of Windows and Linux game versions (looks like users of other OSs are safe).
How malware got into mods
According to the initial hypothesis, unknown cybercriminals compromised mod developers’ accounts on CurseForge.com and dev.bukkit.org. This allowed them to place their malicious code into several mods.
However, Prism Launcher developers suspect that someone may have exploited an unknown vulnerability in the Overwolf platform. They also posted a list of the mods known to be infected with fractureiser.
What is fractureiser malware and what does it do?
Enthusiasts report that after the compromised mod is installed and the game launched, malicious code downloads and executes additional payload from the remote server. This payload begins to create folders and scripts, and makes changes to the system registry in order to run malware after a reboot.
Independent researchers state that, in the final stage of the attack, the malware tries to spread the infection to all .jar files on the computer (supposedly trying to reach all previously downloaded mods). This malware can also steal cookie files and credentials stored in browsers. Furthermore, it’s capable of switching cryptowallet addresses on the clipboard.
Fractureiser infection signs
Reddit discussion concluded that the presence of the libWebGL64.jar file may be considered a definite sign of infection. The malware creates this file in the %LOCALAPPDATA%/Microsoft Edge/ or /AppData/Local/Microsoft Edge/ folder. To find this file you need to go to the “Folder options” menu (via “View”, then “Options” in Windows File Explorer), and enable the “Show hidden files, folders, and drives” option and disable “Hide protected operating system files” setting under the “View” tab.
How to stay safe?
If you play Minecraft and use third-party modifications, then probably the first thing you should do is check your PC with a reliable antivirus software. If scanning detects and deletes the malware, it would be a good idea to change all passwords to online resources you accessed from this computer.
Also, we would advise to follow the news and refrain from installing new mods for Minecraft until the situation is resolved (and we’re talking not only about mods downloaded directly from the aforementioned sites: it would be wise not to install them via third-party software either). Mods, add-ons and plugins for other games that are distributed in the same way don’t seem to be affected by this attack. However, if the delivery channel is indeed compromised, then it’s possible that attackers will find alternative methods of infection and endanger players of other games as well.
As a general rule, game modifications are developed by enthusiasts and hosted on independent platforms. Therefore, game developers are not responsible for their security and do not guarantee the safety of their use. This, it’s better to download game mods only to computers with security solutions installed.