Hackers have once again been seen using Minecraft to spread information stealers to the gaming community, capable of hijacking cryptocurrency transactions, stealing Discord authentication tokens, as well as cookies and login credentials stored in browsers.
According to cybersecurity researchers at Bitdefender, unknown hackers managed to break into several developer accounts at CurseForge and Bukkit. These are modding communities where Minecraft fans come together to create and share various mods and plugins for the popular sandbox game.
Mods and plugins found on these accounts were then infected with the above-mentioned information-stealing malware. Researchers say that, given that they were then added to various mod packs, their downloads number in the millions.
Active development
Analysts say the earliest signs of malware were detected on April 24, 2023. This version lacked many of the features it now has, suggesting that the attackers are actively developing malware.
At the moment, attackers mainly target Linux and Windows endpoints, with most of the victims located in the United States. Researchers also say that the infostealer has a unique feature that is aimed exclusively at modders and developers.
In the later stages of the infection, the malware will target Windows Sandbox instances that mods usually use for testing. It will try to constantly infect the clipboard, trying to infect the host.
“This behavior is specific to Windows Sandbox because it is the only virtualization environment that allows the content of the host clipboard to be changed while the virtual machine is running in the background,” the researchers said.
The report concludes that so far “dozens” of mods and plugins have been found to be infected with this malware. A full list of affected plug-ins can be found on the page this link.
Minecraft is a hugely popular sandbox game with over 140 million active players.