The gaming community is abuzz with discussions surrounding a new malware named Fractureiser found in mods for Minecraft, both in Windows and Linux. The malware was discovered to have been downloaded from trusted sources such as CurseForge and dev.bukkit.org.
Players have been advised not to download .jar files from those sites. If anyone did download from these sites, they should immediately scan their computers for malware.
The initial investigation suggests that cybercriminals gained unauthorised access to mod developers’ accounts on CurseForge.com and dev.bukkit.org, allowing them to inject their malicious code into multiple mods. However, developers of Prism Launcher suspect that an unknown vulnerability in the Overwolf platform may have been exploited as another possible route of entry for the malware.
Here is a list of affected mods which shows just how far the malware has infected:
CurseForge
- Dungeons Arise
- Sky Villages
- Better MC modpack series
- Dungeonz
- Skyblock Core
- Vault Integrations
- AutoBroadcast
- Museum Curator Advanced
- Vault Integrations Bug fix
- Create Infernal Expansion Plus – Mod removed from CurseForge
Bukkit
- Display Entity Editor
- Haven Elytra
- The Nexus Event Custom Entity Editor
- Simple Harvesting
- MCBounties
- Easy Custom Foods
- Anti Command Spam Bungeecord Support
- Ultimate Leveling
- Anti Redstone Crash
- Hydration
- Fragment Permission Plugin
- No VPNS
- Ultimate Titles Animations Gradient RGB
- Floating Damage
Fractureiser malware, once installed through compromised mods, proceeds to download and execute additional malicious code from a remote server. This code then creates folders, scripts, and modifies the system registry to ensure the persistence of the malware even after a reboot. Researchers have found that the malware attempts to spread its infection to all .jar files on a computer, potentially impacting previously downloaded mods. Additionally, fratureiser has the capability to steal browser cookie files, credentials, and even manipulate crypto wallet addresses on the clipboard.
Concerned gamers have identified the presence of a file named libWebGL64.jar in either the %LOCALAPPDATA%/Microsoft Edge/ or /AppData/Local/Microsoft Edge/ folder as a clear indication of infection. To locate this file, users are advised to enable the Show hidden files, folders, and drives option while disabling the Hide protected operating system files setting in the Folder options menu accessible through Windows File Explorer.
To ensure their safety, Minecraft players are urged to run thorough scans using reliable antivirus software and consider changing all passwords to online resources accessed on the infected computer. It is also advisable to stay updated on the latest news regarding the situation and refrain from installing any new mods until the issue is resolved. This caution applies not only to mods directly downloaded from the affected sites but also to those obtained through third-party software.
In the News: WordPress gets its own AI writing assistant