fractureiser is a multi-stage Java virus (and potential worm) that infects Java .jar files, and is a targeted attack on the Minecraft-playing community.
The virus was initially distributed by infecting legitimate Minecraft mods with the virus and reposting them to CurseForge under a different name, using a brand-new account. Eventually, someone who was logged into CurseForge downloaded and ran one of these infected mods, the stage3 payload swiped their browser cookies; and the attacker used these cookies to log in as them and upload a couple more infected mods under their account.
(CurseForge itself was not hacked - it was simply a stolen cookie.)
You can find more information in our research repository here.
There are two kinds of "infection" to speak of:
- You have a malicious
.jaron your computer. If you open this jar, or load it inside a Minecraft modloader, it contains code that contacts a Web server and attempts to download and execute stage 1 from it. (We've been calling these "stage 0"-infected mods.) - Stage 1 is not saved to disk, but it drops Stage 2 and Stage 3 as files onto the computer - this is the more severe part of the virus.
The process for checking whether you have been infected with the stage2/stage3 portion of Fractureiser is simple because the virus does not do a very good job at hiding itself; enable "Hidden files" on Windows, then just check whether a particular directory on your computer exists. Go here for instructions.
For checking whether a given .jar is infected with the stage0 portion of the virus, tools are being developed as we speak, including a browser-based tool to submit jars to. Go here.
Currently, if you run a stage0-infected mod, it will not successfully download stage1 and continue to the more severe parts of the virus. This is because the Web server it attempts to fetch stage1 from has been reported for abuse, and the Web host has graciously taken it down. It is not known if this Web server will stay down forever, so detection and removal is still paramount! If you already received stage2/stage3 on your computer, they will continue to function as well!
If you found stage2 infected files, go here for further instruction. Change your passwords!
An antivirus scan is probably not going to help; fractureiser is very new and original so AVs don't pick up on it yet.
You can, but be careful. Go here for some advice.
fractureiser is not an exploit in Minecraft itself or in the Minecraft multiplayer protocol. It is safe to connect to any Minecraft server.
This virus has absolutely nothing to do with Bedrock Edition/Console Edition/Pocket Edition etc. Those are all completely unaffected.
It depends what files the virus operator requests Stage1/Stage2 to download, but the sample we analyzed (early-morning as-of June 7) included a bunch of nasty stuff:
- Leak system information to the attacker
- Read/write clipboard contents (leak the clipboard, swap out copied cryptocurrency addresses)
- I've heard a report that this may show up as a broken clipboard; where copying anything doesn't really work
- Steal cookies and login info from Web browsers
- contains a good old Discord token stealer too
- Steal cryptocurrency wallets
It also contains the following Minecraft-ecosystem specific attacks:
- Steal Microsoft account sessions from all popular Minecraft launchers
- Add the stage0 infection to all Java jars it can find on the computer - including Fabric mods, Forge mods, Quilt mods, Bungee plugins, vanilla Minecraft jars, and even jars that have nothing to do with Minecraft.
- If this code is used, it has the capability to reinfect you after you run a Java program - even if you remove the stage2/stage3 payloads from your computer
(We don't know how long this variant of stage3 was distributed for, but people were infected by it for at least 1 week prior to June 7.)
Not all of this stuff actually works - this malware does... not appear to be operated by someone very good at programming. Still, the behavior of the malware depends on what the operator-controlled websites serve, so anything could happen. This is just what we analyzed on June 7th.
One of the functions of stage3 of the virus is infecting as many .jars as it can find on your computer. It can infect all .jars, including Minecraft itself (vanilla/modded), Minecraft mods, Spigot plugins, and unrelated Java applications. So if your computer has the stage3 portion of the virus, it doesn't matter whether a mod you download is "safe" - it will become infected. Detect and remove the later stages of fractureiser first.
At the moment, all known infected mods have been removed from CurseForge. CurseForge posted a list of known infected mods (bottom of the page) and has removed them from the website. Modrinth has scanned back 10 months and has not found any infected mods.
To check whether a given jar contains stage0 of fractureiser, please go here - there is a Web-based tool you can drag-and-drop jars into, and some downloadable tools for bulk scanning.
The earliest infected files (some Bukkit plugins) were found as early as mid-April. I would check anyway - it doesn't hurt.
No. CurseForge has confirmed this.
Most of the infected mods were uploaded legitimately from throwaway CurseForge accounts. Their viral nature simply went unnoticed. Eventually, someone who was logged into CurseForge downloaded and ran one of these infected mods, and the stage3 payload swiped their browser cookies; the attacker used these cookies to log in as them, and upload a couple more infected mods under their account.
Cookie stealing is nothing new and nothing specific to CurseForge.
No.
stage3 does contain code for attempting a manual escape from the "Windows Sandbox". It does not happen automatically. If the virus is ran from the Windows Sandbox, it will try to mess with the clipboard to trick you into pasting a shortcut to the malware.
Note that this sort of "clipboard escape" is nothing new and it is very easy to defeat by simply not sharing the clipboard between the host and guest OS. Use a more heavyweight virtual-machine than the "Windows Sandbox", and disable features like VirtualBox's "Guest Addons" or Hyper-V's "integration services".
(Real virtual-machine escape exploits are worth millions of dollars and would not be burned on some Minecraft kids, and we have reason to believe the author of this malware is not a very good programmer in the first place.)
CurseForge is reporting infected files were downloaded 6,000 times for the entire infection period.
For an overview of what all these "stages" do, see this picture. For a more technical summary, head to our reverse-engineering notes.
We're not handing out samples publically, but contact us if you're a security researcher.
Antiviruses can't tell whether a file is a virus just by looking at it - they work by comparing files to a database of known viruses, and since fractureiser is brand new, many antiviruses don't detect it just yet. They are starting to take notice because we have submitted many files related to this virus to a bunch of antivirus vendors.
At the moment your antivirus probably won't detect it, but as always: make sure to frequently update your antivirus.
CurseForge has developed an open-source stage2/3 detection tool and stage0 detection tool, have scanned all uploaded mods/plugins for stage0 infections, and have deleted all known infection cases.
Modrinth has also scanned uploaded mods/plugins for stage0 infections going back 10 months and did not find any.
Both platforms are considering introducing some sort of automated "virus scan" process to the mod submission pipeline. It's hard, since Java malware like this is typically bespoke (see above note about antiviruses)
You know... that's a really good question!
Part of the problem is that signatures alone do not prevent malware - a cryptographically-signed virus is still a virus - and if self-signing was permitted, it doesn't prevent tampering either - it's possible for a virus to simply strip digital signatures off a jar ("delete META-INF") and re-sign it with its own key. (This isn't a hypothetical, either: fractureiser does contain code to remove digital signatures from the jars it infects.)
Signed mods with online signature verification does seem like a somewhat promising way forward, though it's not without tradeoffs. There will be a meeting tomorrow with some Modrinth/CurseForge/Fabric/Forge/FTB reps to discuss the possibilities.
"Antivirus": Probably not, for the same reasons that regular antiviruses didn't detect it (see above) - antiviruses can only detect known malware, not unknown malware.
Sandboxing: Including some sort of "does this class contain 'safe' code?" check before loading a class is a great way to spur on a cat-and-mouse game between malware developers and modloader developers.
It's really hard to ban Java code from using a specific class (say, URLClassLoader) because you can also refer to it with Class.forName (which has a ton of legitimate use-cases), and if you ban or deny-list classes from that, you can typically find something else on the classpath willing to call Class.forName for you, and trying to get rid of these gadgets is an endless game of whack-a-mole.
Sandboxing Java is pretty much impossible - see articles like "Twenty Years of Escaping the Java Sandbox".
Java mods are simply bundles of arbitrary code: treat them like an .exe, they can do anything. I don't think enough people know that about Java mods.
It's not possible. You can't know whether a file contains executable code before you download it, and after a file is downloaded, you can't control what is done with it.
- What if my mod downloads a single Java class file?
- What about a Java class file but spelled backwards, so it doesn't look like a class file at first?
- What about a Java class file but encrypted?
- What about Java source code that is compiled on your computer?
- What about a Python script?
- What about a file containing English prose where it just so happens that sentences with an even number of words correspond to a 0, and sentences with an odd number of words correspond to a 1? - even though it's a prose document I can technically reassemble it into an
.exe, if I so choose.
It's already against CurseForge rules to upload viruses.
I heard something about the malware being able to automatically spread over the network. Can it do that?
A security researcher we are working with got an alert, but it ended up being about completely unrelated malware that happened to use a similar filename. False alarm!
It appears to be a coincidence - this malware campaign was active for quite a while before being widely uncovered the morning-of the 1.20 release.
Possibly! There's some ties to the existing malware skyrage - the malware author uploaded a skyrage-relevant .jar to their backup command&control server, in a fruitless attempt to extend the attack, shortly before CloudFlare took it down anyway.
We have not received any reports of anyone becoming infected by Skyrage through this vector. The author updated their CloudFlare URL to point to Skyrage a significant length of time after the hardcoded IP address in stage0-infected mods was already taken down. It's mostly a funny curiosity that the attacker tried to serve this jar at all.
skyrage is an existing, well-studied piece of malware and you can find some more info about it here.
fractureiser-related code has been observed to connect to these URLs and addresses over a wide variety of port numbers.
- The hardcoded address in stage0-infected mods, and the first observed command&control server:
85.217.144.130 - The second observed command&control server:
107.189.3.101 - The fallback URL that stage1 tries to use, and the stage2 command&control hostname:
files-8ie.pages.dev
There's also evidence of it trying to connect to this crazy ass hostname v2202209151437200088 over port 25575 - unknown reasons; probably from an older version of the malware.
Here are some additional addresses to firewall related to skyrage stuff (again, very unlikely skyrage was downloaded to anyone's PC through this vector, but what the hell, nothing good comes from these addresses anyway):
95.214.27.172connect.skyrage.det23e7v6uz8idz87ehugwq.skyrage.deqw3e1ee12e9hzheu9h1912hew1sh12uw9.skyrage.de- Just block all of
skyrage.dehonestly
Should go without saying but don't visit these :)
Quick links:
main info hub https://github.com/fractureiser-investigation/fractureiser/
info for players (removal guides/etc): https://github.com/fractureiser-investigation/fractureiser/blob/main/docs/users.md
CurseForge report https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool/
CurseForge jar-infection-scanner (detect Stage0) https://github.com/overwolf/jar-infection-scanner
👉direct DL: https://github.com/overwolf/jar-infection-scanner/releases/download/1.0.0.0/JarInfectionScanner.zip
CurseForge detection-tool (detect Stage2/3) https://github.com/overwolf/detection-tool
👉direct DL: https://github.com/overwolf/detection-tool/releases/download/0.0.1/DetectionTool-0.0.1.exe
NekoDetector (detect stage0/2/3, written in Java) https://github.com/MCRcortex/nekodetector/tree/master
nerd shit:
timeline: https://github.com/fractureiser-investigation/fractureiser/blob/main/docs/timeline.md
technical overview: https://github.com/fractureiser-investigation/fractureiser/blob/main/docs/tech.md
nia's notes on reversing stage3: https://hackmd.io/5gqXVri5S4ewZcGaCbsJdQ (read link: https://hackmd.io/@AiNoAino/Hke9ohaLn may be more performant)