owned this note
owned this note
Published
Linked with GitHub
# `fractureiser` - What We Know
You can spectate the discussion (read-only) in #cfmalware on EsperNet, [join the webchat](https://webchat.esper.net/?channels=cfmalware) (this will expose your IP). *This is the only official channel run by the same team that wrote this writeup* — we do not have a Discord.
We've dubbed this malware `fractureiser` because that's the name of the CurseForge account that uploaded the most notable malicious files. Other suggested names are `neko.run` and `fractureneko`.
<span style="float: left;margin-right: 18px">![][underconstruction.gif]</span> <span style="float: right;margin-left: 18px">![][underconstruction.gif]</span><center>*Pardon our dust*, this is a living document being edited in realtime by multiple people about a developing situation.</center>
<div style="display: table; clear:both"></div>
<br>
**Investigation has slowed down as we believe we've learned all we can with what we have currently.** We have picked apart Stage0 and Stage1, taken down the C&C, and have potential Stage2 and Stage3 files with little interesting info in them. *If you are infected, please give us a copy of the libWebGL64.jar file if you still have it.* You can upload it to https://wormhole.app and email the URL to fractureiser.investigation@protonmail.com
### Do you have VirusTotal Special Privileges (i.e. can download files)? You can help!
A number of samples have been uploaded to VirusTotal that cannot be found anywhere else. Please get in contact if you can get us access to these samples.
# Non-technical overview [READ ME!]
**Notice: Plugins with similar malware have been found as early as mid-April.**
A number of Curseforge and dev.bukkit.org (not the Bukkit software itself) accounts have been compromised, and malicious software was injected into copies of many popular plugins and mods. Some of these malicious copies have been injected into popular modpacks including Better Minecraft. *There are reports of malicious plugin/mod JARs as early as May 22nd.*
**Until further notice, do not use the official Curseforge launcher, or download anything from Curseforge or the Bukkit plugin repository.** While the control server for this malware is currently offline, **any download from Curseforge or the Bukkit plugin repository in the last 2-3 weeks should be treated as potentially malicious**. This malware is unlikely to be detected by Windows Defender or similar antimalware products.
If you have downloaded any mods from Curseforge, or plugins from Bukkit, even through clients such as Prism Launcher or the official Curseforge launcher, it is recommended that you follow the "Am I infected?" guide below.
The affected accounts had two-factor authentication enabled. It's unlikely this is a simple password compromise situation; it may be auth token compromise or something bigger on the CF side. Multiple accounts are affected so we don't believe this is isolated.
Currently, we do not suspect other platforms such as Modrinth to be affected.
### What's at stake?
*If you got infected while the C&C server was still up*, you *may* have had your browser database and Windows credential store dumped. This includes your Windows Microsoft account, vanilla launcher account, and god knows what else. *The jar file that does these things is **unconfirmed** but we believe it is related to this outbreak.*
Right now, the malware is dormant due to the loss of its C&C server and the Stage0 not having a way to get a new server. **We still do not know how the compromise occurred, we are waiting for a response from Curseforge.**
### Am I infected?
You can check whether the malware ever ran on your computer, since Stage 1 attempts to create files at several unusual paths:
* **Linux**: `~/.config/.data/lib.jar`
* **Windows**: `%LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar` (or `~\AppData\Local\Microsoft Edge\libWebGL64.jar`)
* Make sure to show hidden files when checking
* Yes, "Microsoft Edge" with a space
* Also check the registry for an entry at `HKEY_CURRENT_USER:\Software\Microsoft\Windows\CurrentVersion\Run`
* Or a shortcut in `%appdata%\Microsoft\Windows\Start Menu\Programs\Startup`
* **All other OSes**: Unaffected. The malware is hardcoded for Windows and Linux only. It is possible it will receive an update adding payloads for other OSes in the future.
There are scripts available [here](https://prismlauncher.org/news/cf-compromised-alert/) which will help you check whether these files exist.
Before downloading, the malware will create the enclosing directory if it does not exist. Windows/MS Edge does not use the "Microsoft Edge"-with-a-space directory, and Linux software does not use `~/.config/.data`, so these folders existing is a likely sign that Stage1 has executed on a victim computer.
If Stage2 successfully downloads, it will attempt to make itself start on boot by modifying the Windows registry, or dropping a systemd unit into `/etc/systemd`. (The Linux side of this payload is unlikely to work as it requires root privileges.)
### Given a jar file, how do I know if it's safe?
There are various heuristics you can use to determine whether a jar is infected with Stage 0.
Emi's shell script [here](https://gist.github.com/emilyploszaj/a9693c4f3de5ec9fbc255c51ff3ca47e) simply checks for all usages of `ClassLoader`, which is uncommon in mod code. This can lead to false positives and negatives
Sylv's shell script [here](https://pastebin.com/T6aQ7C2E) does a bit more fingerprint matching for the malware, and should be more precise.
However, as a non-technical user your best course of action is to check if your system was affected using the above steps, removing all mods that were downloaded in the last several weeks, and refraining from downloading CurseForge or dev.bukkit.org until further notice.
### Timeline
----
*2023-06-07 5:27 UTC*
We've discovered a potential Stage 3 file; it is heavily obfuscated and contains a native payload DLL that attempts to steal credentials from the Windows credentials store.
----
*2023-06-07 4:57 UTC*
Files uploaded in April have been discovered; either the dates are being spoofed, or this has been going on even longer. Many of the accounts have Last Active times in 1999 — likely a quirk with old CurseForge accounts, but still notable.
Modrinth staff are investigating if any uploads on there are compromised. A quick pass they did through recently updated projects looked OK.
----
*2023-06-07 4:40 UTC*
The scope of this compromise seems larger than initially realized. The malicious files go back multiple weeks, as early as May 20th. We only noticed today because they compromised a popular modpack.
---
*2023-06-07 3:38 UTC*
The C&C server has been taken down by the server provider. A new one will likely come up if the Cloudflare page stays up, we're monitoring it.
----
*2023-06-07 3:26 UTC*
We were sent a possible Stage 2 jar by an anonymous user that claims to work at a server host.
----
*2023-06-07 2:26 UTC*
The #cfmalware EsperNet channel is created to coordinate discussion that had been happening in multiple Discord guilds and Matrix spaces.
----
*2023-06-07 0:40 UTC*
The team behind this document learns of the malicious files included in an unauthorized update to Better Minecraft.
----
# Technical info
## Distribution
Some modpacks have had updates published for them without the knowledge of the authors, adding a dependency on malicious mods. These modpack updates were archived immediately after uploading, meaning they *do not show on the web UI, only via the API.*
We cannot tell if the malicious mods were always malicious, or if they got edited. They have upload dates multiple weeks in the past. A CDN compromise or cache poisoning attack is not out of the question due to Curse's usage of the extremely outdated and insecure MD5 to verify downloads.
## Known affected mods & plugins
*At this point, we have enough samples to know this is quite widespread.* Documenting more is likely a waste of time. Just consider all mods and plugins downloaded from CurseForge and BukkitDev to be compromised.
|mod/plugin|link|SHA1|"Uploader"|
|---|---|---|---|
|Skyblock Core|[www.curseforge.com]/minecraft/mc-mods/skyblock-core/files/4570565 |`33677CA0E4C565B1F34BAA74A79C09A3B690BF41`|Luna Pixel Studios|
|Dungeonz|[legacy.curseforge.com]/minecraft/mc-mods/dungeonx/files/4551100 |`2DB855A7F40C015F8C9CA7CBAB69E1F1AAFA210B`|fractureiser|
|Haven Elytra|[dev.bukkit.org]/projects/havenelytra/files/4551105 [legacy.curseforge.com]/minecraft/bukkit-plugins/havenelytra/files/4551105 |`284A4449E58868036B2BAFDFB5A210FD0480EF4A`|fractureiser|
|Vault Integrations|[www.curseforge.com]/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590|`0C6576BDC6D1B92D581C18F3A150905AD97FA080`|simpleharvesting82|
|AutoBroadcast|[www.curseforge.com]/minecraft/mc-mods/autobroadcast/files/4567257|`C55C3E9D6A4355F36B0710AB189D5131A290DF26`|shyandlostboy81|
|Museum Curator Advanced|[www.curseforge.com]/minecraft/mc-mods/museum-curator-advanced/files/4553353|`32536577D5BB074ABD493AD98DC12CCC86F30172`|racefd16|
|Vault Integrations Bug fix|[www.curseforge.com]/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590|`0C6576BDC6D1B92D581C18F3A150905AD97FA080`|simplyharvesting82
|Floating Damage|[dev.bukkit.org]/projects/floating-damage|1d1aaccdc13244e980c0c024610ecc77ea2674a33a52129edf1bb4ce3b2cc2fc|mamavergas3001
|Display Entity Editor|[www.curseforge.com]/minecraft/bukkit-plugins/display-entity-editor/files/4570122|`A4B6385D1140C111549D95EAB25CB51922EEFBA2`|santa_faust_2120
Darkhax sent this: https://gist.github.com/Darkhax/d7f6d1b5bfb51c3c74d3bd1609cab51f
potentially more: Sophisticated Core, Dramatic Doors, Moonlight lib, Union lib
## Stage 0 (Mod jars)
Affected mods have a new `static void` method inserted into their main class, and a call to this method is inserted into that class's static initializer. For DungeonZ, the method is named `_d1385bd3c36f464882460aa4f0484c53` and exists in `net.dungeonz.DungeonzMain`. For Skyblock Core, the method is named `_f7dba6a3a72049a78a308a774a847180` and is inserted into `com.bmc.coremod.BMCSkyblockCore`. For HavenElytra, the code is inserted directly into the otherwise-unused static initializer of `valorless.havenelytra.HavenElytra`.
The method's code is lightly obfuscated, using `new String(new byte[]{...})` instead of string literals.
* Create a `URLClassLoader` with the URL `http://[85.217.144.130:8080]/dl`
* Load classes from that jar
* Call `Utility.run` with a String argument, different for each infected mod (!)
* Skyblock Core: "`-74.-10.78.-106.12`"
* Dungeonz: "`114.-18.38.108.-100`"
* HavenElytra: "`-114.-18.38.108.-100`"
* Vault Integrations: "`-114.-18.38.108.-100`"
The numerals above do not appear to encode a readable string, at least not in a common encoding.
The creation of the classloader is hardcoded to that URL and does not use the Cloudflare URL that Stage 1 does. As that IP is now offline, this means the Stage 0 payloads *we are presently aware of* no longer function.
## Stage 1 (dl.jar)
SHA-1: `dc43c4685c3f47808ac207d1667cc1eb915b2d82`
[Decompiled copy of `Utility` from the malware](https://pastebin.com/k2ZQKbEz).
The very first thing `Utility.run` does is check if the system property `neko.run` is set. If it is, it will *immediately stop executing*. If not, it sets it to the empty string and continues. This appears to be a very simplistic way of avoiding the same process running the malware multiple times, such as if it had multiple infected mods.
It attempts to contact `85.217.144.130`, and a Cloudflare Pages domain (`https://[files-8ie.pages.dev]/ip`). Yes, people have already reported abuse. The Pages domain is used to retrieve the IP of the C&C server if the first IP no longer responds. (Currently the IP received from Cloudflare Pages domain is the same as the hardcoded IP.)
<!-- Can someone double check this is? -> Confirmed, it's 55D99082 which is the same IP -->
* There is a reference to the ip via the domain: nekoservice[.]tcp64[.]de [alienvault](https://otx.alienvault.com/indicator/ip/85.217.144.130)
**UPDATE**: *The hardcoded IP has been nullrouted after an abuse report to the server provider. We will need to keep an eye on the Cloudflare page to see if a new C&C server is stood up, I can't imagine they didn't plan for this.* Thank you Serverion for your prompt response.
It attempts to drop itself into the paths listed above and *will attempt to infect Linux*. Through these paths it hopes to establish persistence so that when `Stage 2` is/was ready, it could then be downloaded and run. Rumor has it there's a way for it to privilege escalate, but that seems unlikely and is unconfirmed. It is likely trying to compromise misconfigured systems.
Compromised mods have a static initializer block in their main class that bootstraps this stage. This isn't some off-the-shelf malware that's been uploaded to Curse (that's been done before, and isn't useful because mod loaders don't run a JAR's Main-Class), it's actual malicious versions of mods with code injected, potentially automatically.
## Stage 2 (unconfirmed "lib.jar" or "libWebGL64.jar")
Stage 1 connects to port 8083 on the C&C server (`85.217.144.130`) and sends the host's IP as a knock, and every time we've attempted to get the payload there's no response. This could indicate a few things:
1. The stage 2 does not exist yet, and it will be dropped at a later date to curb exactly this kind of effort. ~~Existing sockets will get the payload streamed to them and it will get ran.~~ Now that the first C&C is down, this can't happen.
2. Stage 2 already existed, and the server was taken offline to prevent reverse engineering.
3. This is a targeted attack, and only certain IPs will get the payload sent to them.
We have no way to know which of these is true.
### Unconfirmed lib.jar ("Neko Client") findings
*Someone who works at a hosting company has sent us a lib.jar (Stage 2) that seems legit. Reveng is ongoing.*
Partial reverse engineering of lib.jar (unmangled with https://github.com/java-deobfuscator/deobfuscator) gives https://gist.github.com/jaskarth/51196424dc0637cad8e7f275497b8da8 (**Note**: The decompiled obfuscated malicious code is very likely to be incomplete. This is useful for a broad overview of what the code may be doing, but isn't representative of its full capabilities.)
References something called "Neko Client", which might be a botnet.
Deobfuscated strings:
* (an allatori demo watermark, identical to the one in the zip comment)
* dev.neko.nekoclient.Client (is used in a Class.forName)
* start (appears to be a method name, used for reflection)
## Stage 3 (unconfirmed "client.jar")
The `client (2).jar` we have our hands on is malformed (seemingly truncated), but can be "fixed" as follows: `zip -FF client.jar --out clientfixed.jar` then decompiled.
It appears to contain a native payload `hook.dll`, decompiled: https://gist.githubusercontent.com/NotNite/79ab1e5501e1ef109e8030059356b1b8/raw/c2102bf5ff74275ac44c2200d5121bfff652fd49/hook.dll.c
From preliminary analysis, it appears to be attempting to steal Microsoft account credentials from the Windows credential store.
There are two native functions meant to be called from Java, as they are JNI callable:
* `__int64 __fastcall Java_dev_neko_nekoclient_api_windows_WindowsHook_retrieveClipboardFiles(__int64 a1);`
* `__int64 __fastcall Java_dev_neko_nekoclient_api_windows_WindowsHook_retrieveMSACredentials(__int64 a1);`
## Other Stuff
The main payload server ~~is~~ *was* (got taken down) hosted on Serverion, a company based in the Netherlands.
Other than an HTTP server on port 80/443 and an SSH server on port 22 (don't try to attack this, attacking SSH is a fools' errand), the following ports were open on `85.217.144.130`:
* 1337
* 1338 (a port referenced in stage 1's file for creating new Debugger connection)
* 8081 (this is a WebSocket server - no apparent function right now, not referenced in any malicious code)
* 8082 (nobody's gotten anything out of this one, not referenced in any malicious code)
* 8083 (contacted by stage 1)
Curiously, fractureiser's bukkit page says "Last active Sat, Jan, 1 2000 00:00:00" https://dev.bukkit.org/members/fractureiser/projects/
[underconstruction.gif]: data:image/gif;base64,R0lGODlhNABHANUmAAAAAAAAIQAAMQAAQgAxMQAxYxAQECEhITExMTExYzFjY0JCQlJSUmMxAGMxMWNjAGNjMWNjY2OcMWOcY3Nzc4yMjJxjAJxjMZycMZycY5ycnJzOY5zOnK2trb29vc6cMc7OMc7OY87/Y///Mf//Y////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///yH/C05FVFNDQVBFMi4wAwEAAAAh/h1HaWZCdWlsZGVyIDAuMiBieSBZdmVzIFBpZ3VldAAh+QQFCgAmACwAAAAANABHAAAI/gBNCBw4MEOGDRk4EFzIsKFADgYTOmwIEcODiw8sSJzI0UQGCA9APjCosOMFjBgbXHTIYcGCCA5FprQQsiTFkygbqLxowaYJDhEMCDUQwSeHnDppPmjQ02GGizt5orwwkAMDoQ4WCEVg0yLKpVAtNNhA8WlGjEqhjjShAYHQByRIOBC6oCTYqF81+hSYQelOixb8juTg1gDcuCS0CuVwEu9OlZAzMOz79cNTmRYcHDBw4DBiuVsxizWYUqXkhWZTLrWAs4FmrJ8/PxDaGe0FvBhPE3waNbAFDGndHoAQu/hQB4ExKIcgU6fuqmJRKreocvPw4tg3C5COASTTBhD2/gr0+hWjdeLYsws44OAr+ItUG6ZGSXPzAvSxESxAcABB7AUCCOCATEuZxhFSr/mXXQAMBoAAfnEBSEB7BYb0nEMn0aRZf+lBcECDDDpQHIACgsRcR7tlsOEC6ZEAgQEgOogdAgIQgMCFKFp1wAEstngBjCAqWBwEASYg3kQ6sofYfcw1CcECmw31YIsQEECAAkcy1AEDO+IHAX/37bfZgy49mECLcVU5gJEdtdTlZ18iBsFcoUGIposDrJnlT1BeB6cDF5BwAX9DcWbnnRDkiYAGDbX1ZmxzDvpaaDzeWZwEBazZwUIT8DflkPoJtyMCF0CQAIQSMGAjAgkwgF0E/gisyahAjpKangMI8LejknH5ScJHCFhp5anYYbpmBT/l2mOHuu7qwID8MbAAAw9SK6yVh8YlQQIFFABRrlQ+6OGuwxEHJQQMSACBuglc+2mx3XZAGAIiYgdBqV+SKyQDFORn5QAFKBBXBQTHxm0Cm+5HL5pf5qqrkNgtkMACFFAwQQQTaFDBZwokkAAFD1G7MLPKjgsxmh73u3FcHn9sk1W51lscrrkC67ClJDCQwMose4zlQjDrZ6/DGZDgsKtoKhBBcS3/zFDQhzZ8o4vKxjaBAgpMQEIECUxwJmIdJ+A0RSIHCmeuEBT95cSfZcB1AhH0S0IFX5MQNshtNgxh/gbKFi0xsXFlQEHLPsd2954EwXwfYhlQy0DRGbRa9K9vE74z2D6jmLhLi8dFQQYLqO1x2ltb3rTnPs+quQkdVECBS3sj9vjjW1MQt+2DV0wCBVhTUIHqmmusgbSd44wd71hrvOnqrFfQweuwG18c8gpQ4IEGwKOIvQe+v85AtnciT4EG1v/OPFsacM8oBQzQLr34Jrh+PeJPp+/7T+x/bzz88Y+v8fnYex6yBJI/uaGpAr0biPz+xzwNdIB7AyRgBCIwufSIzyYLzF5Htnc/gkwwbulBYPU4ZT0PRDB4HoAgQ2xHweK4boQLcV0HGLg6BwqwISys4NwqRgHxLPCE/iiqQAor5pAKTFBuriNiQyZAgQdqkCO/U2ERK2aQigGRIEyc4RWhOMQtPiSJVuRI3B7oxYVo4CVC5F4EptMdzsFKZxOEABubBLv2NZF7GcAA4jIAAAAkYIgR+IoB+kjIPpYHAYXsI79SGMgHkGUifAQAAq43uPIMMpEAKM8DEkmx9IkERwIJgQlC0J8MYI9rhpEOzThjHQqhpD8GQEDcsMeAiwRwISEYgS51GQJ8OYk5IChOCD5IzAmGoDjFnOAJc7nLEXzkl8w5ZmyGmUxjIrOawGOmLn35S2l+hpofZCEFvIkYI2KTINqEZpOCOU1isnCC2DFnOD8oyoEwU53AuBRmNa0ZG7fNk564HAE3nfQBYUrgn/z8zD4nuAES1DOU+IQAOeMSgoNWUwTF8ecRiYkY1OBzog5dKEZjs4GFetOj0ARpRd05wQyAtKQIXdo3dwPNgrZznw39jAhgWk1hAk0DHMAesoyoGw7IiwNITeqRjNoBeWlAmTTMkRB/98TzDURjU6VfVZznPKtukKtapdVUy+jV+GW1hlOtalnNakK1LqR1cF0rS7jqVoJozIRhZR4H0tqQgAAAIfkEBQoAJgAsEwABAB4ALQAACG0ATQgcSLAgQRIIExpcyNBEwocKGzaESJGExIUVKV40mFHjRoEdPX4MKXIjyYcfB560mFIlyZYHQ8KMWXFmwYw2b6LMybOnz59AgwodSrSo0aNIkypdyrSp06dQkWaISrVqwalFKRjFSlRr0IAAACH5BAUKACYALBMAAQAeAC0AAAinAE0IHEiwIEEIDxA+yGCwoUMTCh9IbGAh4cOLEic2oDjRwsWGGDJmbNCxwUeDD0iSFJnRAsOTAi+kFLlSZUqYAiNasNAgQ4aRJF/CFGnhwkqWQmE62ImhKYSIG3ESFOk0JU8IUgk6YNlA4YWsWiOmJAm24NaxCZOWNeEA4dO1cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4L4XCiBMXPJxXbV3GeB3DDQgAIfkEBQoAJgAsAwABABAADwAACDkATQgUSKKgwYEITRhceBAhw4ckBkKESHAiw4oWD2Z8qHBjQYwZJW50GDKhxYQiL6JM+XElyogrAwIAOw==