Weird Utils: Advanced SkyBlock Malware

Posted on:August 22, 2023 at 04:02 PM

WeirdUtils

WeirdUtils is a family of advanced malware mainly targetting players of Hypixel’s SkyBlock gamemode (THAT DOES NOT MEAN ITS ONLY TARGETING SKYBLOCK). As many people have installed files infected with WeirdUtils over the span of two years. At the time of this blog post’s release, WeirdUtils is not detected by major antiviruses. The known mods are impersonating both open and closed source projects, and adding malware.

Documentation in progress, nothing is finalised

For users

TL;DR

We have found mods that use a multi-stage process to infect users with WeirdUtils. First, an encrypted Pastebin file is loaded. This is decrypted into a url used to download a JAR file that, when decrypted (twice) contains code to steal passwords/tokens from the following sources:

The current version of the malware has been disarmed by Pastebin on August 19, 2023, at 9:08 pm CDT, and stage 3 was disarmed by GitHub sometime on August 21, 2023. The malware developers may release updates to reupload them, however.

How do I know if I have been infected?

You can use our detection tool UtilsDetector to detect if you have any infected jar files on your machine. As this malware does not spread, there should not be that many infected files.

Updated versions of the malware may not be detected by any tool; be safe.

I’m infected. Help!

If you have found out that you were/are infected, assume all accounts saved in browsers, along with your Discord account and Minecraft account, are compromised.

Make sure the malware is completely removed from your system, after submitting the jar via the detector tool.

Change the passwords for all of these accounts, along with any other accounts using the same or similar passwords.

Timeline of Events

All times listed below are in GMT.

Saturday, August 19th

17:56 TirelessTraveler discovers the WeirdUtils malware family.

20:29 TirelessTraveler sends a private message to Heather about WeirdUtils. TirelessTraveler also sends a message in the #general channel of MMPA’s Discord server.

21:00 Heather begins an investigation into how WeirdUtils functions.

21:23 The Pastebin URL that WeirdUtils grabs from is decrypted. Investigation into the contents begins.

21:40 Heather fully decrypts and decompiles WeirdUtils’ payload. The findings are reported to TirelessTraveler.

21:49 A thread titled “WeirdUtils” is created in the internal #malware-discussion Discord forum with TirelessTraveler present.

21:51 Eva sends a private message to Heather, redirecting all future findings to the forum thread.

22:15 Representatives for both Curseforge and Modrinth are pinged in the thread, with hopes of removing any samples that may be present on their websites. Luckily, we were unable to find any instances of WeirdUtils on either platform.

22:17 A HackMD page is created to document all information. This later turned into the blog post you are now reading.

22:51 IMS reports the accounts of both malware developers to GitHub and the paste to PasteBin.

Sunday, August 20th

13:58 Eva sends an email to Pastebin admins about the malicious paste. Taking down the pastebin would immobilize the malware, at least until the malware developers update.

14:08 Pastebin admins delete the malicious paste.

19:58 Eva finishes coding UtilsDetector.

Tuesday, August 22nd

~14:38 IMS was notified both of the GitHub pages were taken down.

Technical Details

Ingredients

No, seriously.

It starts with org/spongepowered/tools/obfuscation/ObfuscatedClassloader. This class is very lightly obfuscated, but I’ll spare you the details.

Then, it tries to download https://pastebin.com/raw/4LhnDCtf. The contents of this were actually AES-encrypted data, which, when decrypted, turns into the actual payload.

The decryption flow uses AES/CBC/NOPADDING the actual key for this encryption… is the class bytecode. This creates a kind of trust chain, so a researcher that doesn’t have the initial payload cannot decrypt the URL.

After this, we get a GitHub URL https://github.com/ultra-weird-owo/a with the payload jarfile, which is then decrypted. The classes are then decrypted again and loaded with a class loader, and the Updater class with the update method is invoked.

This method then does the following things;

All of this information is sent to https://owouwu.tk.

Due to many factors, the browser and Discord stealing only works on Windows. Minecraft session stealing works on all systems.

The malware’s decompiled code

All versions of the end payload have been decrypted and decompiled. A rundown of the commit history alongside decompiled payloads can be found here.

Addendum: “What’s a LetsEncrypt”

Some suspicious code was found in the malware that seems to load files into a trust store. Weirdly, this code was named whyTFDoesLetsEncryptNotWork, and downloaded a PEM file + messed with X.509.

This ended up being an amateur understanding of Java 8 by the malware developer that was bypassed with sample code and a hosted PEM file on an alt account on GitHub.

The core reason for this weird naming is likely because the malware worked without this code… until it didn’t. The reason why it didn’t work was because the Java version Minecraft 1.8 (the version most SkyBlock users play on) provided via the default launcher does not actually support the current Let’s Encrypt certificates, and newer Java versions (which the dev used) updated to support this! So in the end, what looked like a weird workaround ended up being bad understanding of Java certificates.

Contact

If you know anything about WeirdUtils or want to contact us for general concerns, you can do so via Discord, or anonymously over email @ [email protected].

Credits

Bloopers