The initial attack vector was, you guessed it, compromised accounts. Once the attacke4r had control of the accounts they were able to then reupload mods and plugin that had the malicious code attached. Two platforms identified in this attack were CurseForge and Bukkit. Once the known accounts were used to upload the malicious content, these were then inserted into modpacks allowing for even greater saturation. The attackers were able to get around alleged protections in place including multi-factor authentication. They also hid the mudpacks by archiving them, but still allowing API calls to push the altered code. The length of the campaign is currently believed to be three weeks, but it might have been longer and impacted more than what is currently listed.
The malware is a multi-stage loader that sets up the initial infection, propagates to other JAR files on the system, creates a persistence mechanism, and establishes communication with the command-and-control server. The information gathered is cookies and web account data stored on a target system, Microsoft account information, crypto wallet addresses (which appears to replace), Discord account credentials, and Minecraft account credentials. Persistence appears to be both a startup script and registry entries on Windows. On Linux persistence is a new service created that runs on startup.
Gaming, as we have previously talked about, on Windows and Linux leaves a lot to be desired when it comes to security. We have seen games read and dump memory around protected processes as part of anti-cheat mechanisms, while other in-game services are open to poisoned ad attacks, or other “lobby” style attacks for multi-player games. Modding of games has also increased in popularity, which has increased their attractiveness to attackers. Minecraft is not the first game to be targeted through popular mods and it is not likely to be the last. If you factor in BYOD usage of home systems for business purposes (even checking email), you have a very nice target rich environment. The more popular the game, the more likely attackers will get a return on their investment in poisoning a mod or parts of a mudpack. We can now add this attack vector to the list, but many organizations will not be able to protect against it as they do not have proper policies to check or protect non-corporate devices. Oh and let’s not forget that this type of attack can also work on games for mobile devices like phones which makes things just a little bit worse.
Happy gaming.