Skip to content

Information about the fractureiser malware

Notifications You must be signed in to change notification settings

D3SL/fractureiser

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 

Repository files navigation

Modded Minecraft Malware "fractureiser"

What?

fractureiser is a Worm Virus found in several Minecraft projects uploaded to CurseForge and CraftBukkit's dev website. The malware is embedded in multiple mods, some of which were added to highly popular modpacks.

If left unchecked, fractureiser can be INCREDIBLY DANGEROUS to your machine. Please read through this document for the info you need to keep yourself safe.

We've dubbed this malware fractureiser because that's the name of the CurseForge account that uploaded the most notable malicious files.
Pardon our dust, this is a living document being edited by multiple people about a developing situation. Some sections may be messy.

What YOU need to know

If you're simply a mod player and not a developer, the above link is all you need. It contains surface level information of the malware's effects, steps to check if you have it and how to remove it, and a FAQ.

Anyone who wishes to dig deeper may also look at

Current Investigation Status

We have a good idea how fractureiser works, from stages 0 to 3. There are certain unknowns, but stage 0 bootstrapping was quickly nipped and tomorrow we'll be moving our focus to mitigation.

Work has begun on a detector for infected stage0 mods: https://github.com/MCRcortex/nekodetector and arranging for this detector to be run on Modrinth.

The threat actors attempted to bring up a new server IP. In the process, they accidentally uploaded an unobfuscated version of Stage 3. This allowed us to further understand the malware and what it does.

As of the time of writing this new control IP has been taking offline by its hosting provider

Additional Info

If you have files relevant to this malware, please upload them to https://wormhole.app and email the URL to [email protected] — this inbox is controlled by xylemlandmark, and anything sent to it will be shared with the rest of the team. If you need to get in touch more generally, please send mail to [email protected].

If you copy portions of this document elsewhere, please put a prominent link back to this GitHub Repository somewhere near the top so that people can read the latest updates and get in contact.

The only official public channel you may join without being personally invited that's run by the same team that wrote this writeup is #cfmalware on EsperNet IRC. You may join the channel if you wish, but due to an influx of new users we've set the channel +m, you will need permission to speak. Joining an IRC channel will expose your IP address.

IRC logs: TODO


- the fractureiser Mitigation Team

About

Information about the fractureiser malware

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Java 100.0%