Share this article on:
You may not think that private Minecraft servers are a huge target in the cyber security space, but the Microsoft Defender for IoT team has laid bare the operational details of a cross-platform botnet designed to attack such servers.
You may not care about Minecraft, but you probably care about threat actors using your infrastructure for their needs. Regardless of the target, the analysis reveals important details on how such botnets propagate across platforms, and how to combat them.
The MCCrash Minecraft DDoS botnet (tagged as DEV-1028 by Microsoft) propagates using false credentials on exposed SSH-enabled devices, making remotely administered and poorly secured IoT devices particularly vulnerable. Microsoft considers DEV-128 a “unique threat” as while it can be cleanly removed from an infected PC, it can still persist in unmanaged IoT devices where it can continue operating as a part of the larger botnet.
The botnet can infect both Windows and Linux-based machines. Most of the infected devices are in Russia, with others spread sparsely around Central America, India, Asia, Europe, and Africa.
Initial infection is via malicious cracking tools that supposedly can attain Windows licences. This software contains additional code that downloads a fake version of svchost.exe or svchosts.exe via PowerShell command.
This executable then launches a Python script called malicious.py, which is the main payload for the botnet. This scans for SSH-enabled Linux devices, including the common remote configuration OS Raspbian, and executes a dictionary attack.
When a suitable device is found, the script downloads Updater.zip from repo[.]ark—event[.]net onto it, which then creates a file called fuse. This in turn downloads another copy of malicious.py, and the cycle starts over again.
The botnet as a whole then targets private Minecraft servers using a combination of DDoS and Minecraft commands.
Curiously, while the botnet can target Minecraft versions between 1.7.2 and 1.18.2, it seems to have been specifically coded to attack version 1.12.2. The majority of servers that could be affected are in the United States, but countries throughout the world are at risk.
Microsoft recommends businesses make sure employees are not installing cracking software on their devices, and to make users and applications cannot access malicious domains by using multi-factor authentication, as well as establishing strong security measures.
You can learn more about the botnet and its capabilities and how to detect it on Microsoft’s security blog here.