Fractureiser Malware

Cybersecurity researchers have encountered a malware threat targeting the gaming community. The malware is tracked as Fractureiser and has been found inside mods for the highly popular video game Minecraft. Malicious mods carrying Fractureiser have been identified in mods sourced from popular platforms such as CurseForge and dev.bukkit.org. As a precautionary measure, gamers are strongly advised against downloading any new .jar files from these websites. It is crucial to exercise caution and prioritize the safety and security of gaming systems by refraining from accessing potentially infected mods.

The Fractureiser Malware is a Multi-Stage Threat

Several innocent-looking malicious mods and plugins were initially uploaded by the malware's creator to the mod hosting website CurseForge and the plugin hub dev.craftbukkit.org. The malware goes through multiple stages and follows a sequential process where each stage is responsible for downloading and executing the next one. Currently, there are three identified stages with the infected Minecraft mod files acting as a starting stage 0 to initiate the entire process.

Stage 3 serves as the central component of the malware, exhibiting a range of malicious activities. Evidence indicates Fractureiser attempts to:

• Spread itself to all .jar files on the system, potentially infecting mods that were not obtained from CurseForge, BukkitDev, or other Java programs.
•  Collect login information and cookies from various web browsers.
•  Replace cryptocurrency addresses stored in the clipboard with alternative addresses presumably controlled by the attacker.
•  Gather Discord credentials.
•  Gather credentials associated with Microsoft and Minecraft accounts.
•  Given its behavior, we have strong indications that this targeted attack specifically aims at the modded Minecraft ecosystem, signifying a significant threat.

Until further notice, it is imperative for users to exercise utmost caution when downloading Minecraft mods, regardless of their origin. Although the control server for this malware appears to be offline, any downloads from CurseForge or the Bukkit plugin repository within the specified time period should be treated as potentially threatening.

How to Deal with a Suspicion that Your Device is Infected by the Fractureiser Malware?

Extreme caution should be exercised until a complete way to remove any symptoms is found. If stage 2 files from Fractureiser are found on the system, it is highly likely that the stage 3 code has run and infected the machine. The best option is to assume everything on those systems is entirely compromised. The following steps are highly recommended:

• Back up relevant data on a flash drive or external disk.
•  Using a separate device, users should change the passwords to all services they were logged into on the old machine (Discord, email, etc.), preferably utilizing a password manager.
•  If users were not yet using Two-Factor Authentication (Authenticator application or SMS) for every service that supports it, they should start doing so immediately.
•  If possible, use a professional cybersecurity service to scan the machines for anything suspicious. Alternatively, as a safe default, users can choose to wipe and reinstall the system.

In general, game mods are typically created by enthusiasts and made available on independent platforms. Consequently, game developers do not bear responsibility for their security and cannot ensure their safe usage. Therefore, it is advisable for users to download game mods onto computers equipped with a security solution.