Mincecraft Alert! Understanding the Fracturiser Malware: Detection and Removal Guidelines
What is Fracturiser?
Fracturiser is a multi-staged malware discovered in the mid-April of 2023, hidden within several mods hosted on CurseForge. This sophisticated malware runs on both Windows and Linux systems and propagates itself across the system upon execution of an infected mod. Its primary goal is to steal user data and credentials, but its other capabilities make it a significant threat to any user who unknowingly downloads an infected mod.
How Does Fracturiser Work?
Fracturiser operates in stages, each performing a specific task that contributes to the overall impact of the malware. It begins its attack once a user runs an infected mod, downloading files from a command-and-control server and initiating the next stage.
Key actions performed by Fracturiser include:
1. Propagation: It spreads itself to all JAR (Java Archive) files on the system, potentially infecting other mods not downloaded from CurseForge or BukkitDev.
2. Data theft: It steals cookies and login information from various web browsers, Discord credentials, and Microsoft and Minecraft credentials.
3. Cryptocurrency interception: It replaces cryptocurrency addresses in the clipboard with alternate ones.
Detecting Fracturiser
First thing that I did was to place the questionable device in my isolated network. In this case, it may have been overkill, but it's a process I follow when working on someones computer that may be infected.
Detecting Fracturiser requires looking for certain files and entries created by the malware in your system. Internet searches show to look for the following:
On Linux, you should look for `~/.config/.data/lib.jar`.
On Windows, check for `%LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar` or `~\AppData\Local\Microsoft Edge\libWebGL64.jar`. Don’t forget to show hidden files when checking. Also, scan your registry for an entry at `HKEY_CURRENT_USER:\Software\Microsoft\Windows\CurrentVersion\Run` and for a shortcut in `%appdata%\Microsoft\Windows\Start Menu\Programs\Startup`.
As our case was a Windows host, we also downloaded and ran the lastet version of the Windows Malicious Software Removal Tool available from here or seach for it online
Removing Fracturiser
Upon detection of Fracturiser, the suggested approach to removal involves deleting all infected mods and then conducting a full system scan using a reliable antivirus software that recognizes Fracturiser. As of the latest reports, only four of the major antivirus engines were able to detect this malware, emphasizing the importance of keeping your antivirus software updated.
Despite the advanced nature of this malware, it's important to remember that CurseForge was not compromised at an administrative level. The malware was uploaded by a malicious user who created several accounts and infiltrated the platform with infected projects. In response to the incident, CurseForge has taken measures to ban all related accounts and enhance the security of their platform.
We were lucky and nothing was found, so the removal steps are what I found online.
A Word of Caution
While this post provides a general guide to the detection and removal of the Fracturiser malware, it should be noted that dealing with such threats often requires professional assistance. If you suspect that you're infected, contact a professional or get support from your antivirus provider. While a family member was concerned that they may have been comprised, we did not find any evidence of this.Always remember to keep all your software and antivirus definitions up to date, as new threats are constantly emerging. Also, be mindful of the mods you download and the platforms you use, ensuring they are trusted and reputable. Stay safe, and happy gaming!
Comments
Post a Comment