September did not have many malware incidents, but MMPA has made decent progress toward several measures for preventing the spread of malware.
or in raw numbers,
- CurseForge: 4
- Discord: 2
- Spigot: 2
- Bukkit: 1
- Modrinth: 0
As seen from the chart above, Modrinth has been consistently malware-free for several months (this does not guarantee safety). Below is a statement from Emma Alexia, a Growth Manager and Lead Moderator at Modrinth on how often they see attempts of malware being uploaded to their platform.
Curseforge has been actively addressing some of the issues that lead to malware spreading, such as existing mods being re-uploaded under new names with malware added. Bukkit is likely taking similar precautions, as they are both owned by the same company.
Spigot and Discord have yet to make any major strides towards preventing the spread of malware on their platforms.
Malware of the Month
Comet is a malware family that Lenni0451 reported to MMPA on September 10th. It was originally thought to be a simple Force OP plugin, but it did a concerning amount of web requests. Comet only works on servers.
Authorized users gain access to the following Comet chat commands:
Authorizing with Comet is as simple as typing
*auth <password> in chat. Comet’s auth password is simply ”
test”, despite it being stored as an MD5 hashed string.
This password only works when logged in as one of the names below. Comet is mostly meant for attacking cracked/offline Minecraft servers where players can join under any username. We have blurred the real player names in the screenshot below.
After more investigation, MMPA found that the backend server ran on Replit and included a Discord token in plain sight.
This Discord token granted us full access to the bad actors’ Discord server. With this abiilty, we made a 1:1 clone of the server to gain access to its messages.
As expected, the server was filled with talk of backdoors, malicious plugins, and bigotry.
At the time of writing, Comet’s C2 has not been taken down, despite our report to Replit.
Ectasy has been a well established backdoor-as-a-service in the spigot backdooring space. The main method of spreading Ectasy is SpigotMC’s plugin website. Ectasy only works on servers.
Similar to Comet, Ectasy works mostly based on commands with the prefix of
*. This means that Ectasy has no C2 we can take down. The
ectasy[.]club website has been reported to Porkbun, but at the time of writing, the website is still online.
An instance of the Ectasy malware was found on SpigotMC by Lenni0451 on October 6th, 2023. The plugin was named “Anti xray”. Within a few hours, it had about 5 downloads.
When the plugin is run on a server, it downloads a file named
bungee.jar into the
plugins/PluginMetrics folder in the server files.
The plugin itself is a 1:1 copy of an existing, uninfected plugin. The only thing that the malware author added is the
TranslatableComponentDeserializer class and the
TranslatableComponentDeserializer$1 class inside of it.
bungee.jar file reveals that this plugin is infected with Ectasy:
Spigot deleted the malicious file within about 7 hours.
On September 26th, misleadingly named mods were reuploaded to the Curseforge website by a user named
MkatMonster. These mods had barely any working code and had names very similar to existing mods. Seroxen is capable of infecting both clients and servers.
The malicious mods downloaded a batch file called Sero.bat. With a few more PowerShell stagers, the final payload was a RAT called Seroxen.
Unfortunately, this incident occured in the middle of night in Israel, where the Curseforge team is located. The mods were removed as soon as the Curseforge team were available.
Seroxen is already detected by many popular antiviruses, so anyone who did download it is unlikely to be infected.
This information comes from a scrapped blog article from August. Because it’s a few months old and the mods had no malicious code, we thought we’d include it as a bonus.
Thousands of nearly identical files were uploaded to CurseForge by bots between August 9, 2023 and August 11, 2023. All files contained the same example mod code. The project pages have separate files for each selectable Minecraft version, ranging from 1.3.1 all the way to the newest 1.20.2 snapshots. The files are marked for both Forge and Fabric, even though they only work on Forge.
Due to how CurseForge’s approval process works, all files uploaded to Curseforge are automatically given either 1 or 2 downloads. In this case, hundreds of files were uploaded to each project. This allowed several of the projects to reach almost 2,000 “downloads”. This was later amplified by the amount of curious users who scraped these files, allowing some of the projects to surpass the 2,000 mark.
All of the abusive mods had AI generated names, photos, and descriptions.
A few hours after the Minecraft Malware Prevention Alliance team notified CurseForge, all offending projects were taken down. This happened on 8/12/23 at 2:02 AM CST. Curseforge is taking steps to prevent this from happening in the future, and responded to the situation as quickly as they could.
Spigot is notoriously known for doing almost no code verification on submitted plugins, which makes uploading malware a menial task.
Spigot’s answer to this issue has generally been, “We can’t review stuff, there’s way too many plugins”. We’d like this situation to change, but the SpigotMC representative we had in our Discord left, which means we have no contact with their team.
We would like the Spigot team to strengthen their approval process due to how big of a target their platform is for bad actors.
TOTP (or WebAuthn)
A required 2FA implementation that pops up when you try to, for example, upload or update a new version of a mod would be a big step towards preventing compromised accounts from spreading malware. SMS 2FA would not be ideal due to how unsafe it is.
GitHub has already done this, requiring all users to enable 2FA with TOTP or Webauthn.
If we force all uploads to be authenticated with 2FA, how would CI work?
This question is a bit tricky to answer, but the current idea is that a token would be generated after the user enabled 2FA and it would only be shown once (unless regenerated, with a prompt for 2FA). As a extra precaution, the user should be emailed/a notification should be sent out alerting them of the upload/change.
We have been making great progress on Concoction, our automated scanning tool, capable of both dynamic and static analysis.
We deem Concoction’s static signatures usable in production, with a simple API to go with it.
Dynamic analysis is also almost in a usable state, all it needs is something to discover entrypoints of common modding platforms.
Col-E released a great overview video a while ago of what our plans are.
The concoction GUI is an easy way for end users to scan for signatures.
Shown in the demo are obvious signatures that will flag almost all Java programs, the detections are only to test, these applications shown “detected” with malware aren’t actually malware
In an ideal future, we will have a tool created for automatically creating GUIs for detecting specific malware families during major incidents like Fractureiser.
Implementing sandboxes for MacOS & Linux is already possible, but Windows is still a big barrier. Windows can be very janky, and we still need to account for all use cases.
If you are willing to work on Windows sandboxing with us, please make sure to send a e-mail or join our Discord and chat in
#sandboxing, we would love to work on it with you!
- Lenni0451 - Alerting us of several malicious Spigot plugins and helping us decompile the malicious code
- Modrome - Alerting MMPA about the issue from the “Bonus” section and helping research Seroxen
- u/RedChuJelly - Making the Reddit post from the “Bonus” section
- PandaNinjas - Helping with Seroxen research
- mommyraven - Helping with Seroxen research
- barrulik - Helping with Seroxen research
- emmikat - Helping with Seroxen research
- pypylia - Helping with Seroxen research
- janrupf - Helping with Seroxen research
- cbax - Helping with Seroxen research
- chorb - Research and proofreading
- eva - Research and blog writing
- IMS - Blog post preparation
- tobipickle - Proofreading
- axolotlite - Proofreading
- eoka_official - Research
- Polarite - Proofreading