Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Hackers embed ‘incredibly dangerous’ malware in Minecraft modpacks

Hackers have made use of two popular Minecraft modpack installers as vessels for delivering malware to unsuspecting gamers.

user icon Daniel Croft
Thu, 08 Jun 2023
Hackers embed ‘incredibly dangerous’ malware in Minecraft modpacks
expand image

Players downloading and managing mods and modpacks from the CurseForge and Bukkit modpacks are at risk of accidentally installing a worm virus known as Fractureiser.

According to a report from Prism Launcher, attacks gained access to a number of CurseForge and Bukkit accounts, which then allowed them to embed malicious within mods that had been uploaded by the platforms. These mods were then adopted by larger modpacks, and downloaded by unsuspecting users.

“Multiple groups are reporting many CurseForge and Bukkit projects as compromised. Malware has been uploaded to several projects, and it’s now known that the virus is self-replicating and spreading,” said Prism Launcher.

============
============

While it is unknown how many people have been affected by the attack, just one of the modpacks, “Better Minecraft”, has been downloaded 4.6 million times.

CurseForge took to Twitter to announce the incident, clarifying that CurseForge itself was not hacked and that the incident was isolated to Minecraft modpacks.

It also said that it has banned all accounts connected to the issue, and that it is currently sifting through relevant files and “deploying more security measures.”

In addition, it has released a Detector Tool that allows users to scan modpacks before running them.

CurseForge has advised users not to uninstall the client, as this could prevent it from installing a fix.

Minecraft modding studio Luna Pixel Studios trialled an infected mod and said that it resulted in a supply chain compromise that spread to its modpacks.

In addition, another modpack developer, Violet Moon, has conducted an investigation into Fractureiser, calling it “INCREDIBLY DANGEROUS”.

According to GitHub researchers, the malware is capable of stealing cookies, stealing Minecraft, Discord and Microsoft account credentials, replacing cryptocurrency wallet addresses cached in the device’s clipboard and self-propagating to all .jar files.

In addition, the malware will also run a script on Windows start-up that will install Java if it isn’t installed already, which will, in short, allow it to deploy malware updates.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.