Microsoft flagged a cross-platform DDoS botnet on Thursday whose main purpose is to carry out DDoS attacks against privately run or owned Minecraft servers. The network is called MCCrash and can spread to Linux or Windows-based devices.
While the company hasn’t disclosed the complete scale of the network yet, a majority of targets or ‘bots’ come from Russia, with countries like Belarus, Czechia, India, Indonesia, Italy, Kazakhstan, Ukraine and Uzbekistan hosting smaller numbers.
Microsoft’s report claims that the infection starts off by targeting a small group of machines that have been compromised using installation tools, cracks or keygens offering free or illegal Windows licenses. The botnet then spreads by trying default credentials on internet-exposed SSH devices.
Once it reaches a target device, a Python payload is launched containing the core botnet features including scanning for further SSH-enabled Linux devices where the same Python payload is deployed to run DDoS commands, one of which attacks Minecraft servers.
After deployment, the botnet gets in touch with a Command and Control (C2) server to launch several commands. This first set of commands includes OS version information from the victim device as well as establishing a TCP connection with the C2 host. The botnet then continues receiving encrypted instructions from the server.
Since Minecraft versions are all slightly coded differently, the botnet is also coded accordingly to only affect version 1.12.2. That said, Microsoft reports that all versions between 1.7.2 and 1.18.2 can be affected by this attack, with only versions 1.19 and onwards protected by the attack, without modification of the attack’s source code.
This means that the botnet can impact Minecraft servers almost globally, especially in the United States, which has the largest number of potentially at-risk Minecraft servers.