New malware called “fractureiser” has been discovered that can steal information from players in Minecraft. The malware is actively being distributed through user modifications on the Bukkit and Curseforge platforms. Hackers have already hacked several accounts on these platforms and have replaced popular mods and plugins with malicious code.
The affected modifications listed on Curseforge include Dungeons Arise, Sky Villages, Better Minecraft, Fabouusly Optimized, Dungeonz, Skyblock Core, Vault Integrations, Autoboadcast, Museum Cur Ator Advanced, Vault Integrations Bug Fix, Create Infernal Expansion Plus. On Bukkit, affected modifications include Display Entity Editor, Haven Elytra, The Nexus Eventom Entity Editor, Simple Harveste, McBounties, Easy Custom Foods, Anti Comand Spam Bunageecor D Support, Ultimate Leveling, Anti Redstone Crash, Hydration, Fragment Permission Plugin, No VPNS, Ultimate Titles Animations Gradient RGB, Floating Damage.
The malware hidden in these modifications is capable of stealing cookies, account information, cryptocurrency wallet addresses, and other sensitive information. It can also register in Windows Automobiles and infect other user mods to repeat the infection chain. Players who have downloaded mods or plugins with Curseforge or Bukkit over the past three weeks are at risk, although the full scale of the infection is not yet known.
If players suspect that their system might be infected, they can check by going to the Directory of “%Localappdata%” and checking for the Microsoft Edge folder. If the folder is not present, the system is likely not infected. If the folder is present and contains the file “Libwebgl64.jar” or “Lib.jar”, the computer is likely compromised.
Players who suspect that they have been infected are advised to completely remove Minecraft from their computer and use reliable antivirus software to scan their system, including extra records in the Windows Automatic load, the problem planner, and the system register. They should only re-install the game once they are confident that their computer is clean and should not use plugins with Curseforge, Bukkit, or other modifications until official statements confirm that the sites are completely cleaned of harmful code.
For more detailed technical information about “fractureiser,” including how it works and its distribution method, read the Shank report on GitHub or the corresponding discussion on Reddit.