Malicious Minecraft Mods Target Gamers with Data Theft
In a concerning development for the gaming community, Trojanized cheat tools for Minecraft hosted on GitHub have been discovered to stealthily install malware that extracts sensitive information from players. Check Point Research has identified this alarming trend, revealing that approximately 500 GitHub repositories were involved in this operation, which has potentially compromised around 1,500 devices to date.
The scale of this operation is particularly troubling given Minecraft’s immense popularity, boasting over 200 million monthly active players. The potential for data theft is significant, as these malicious tools are designed to target gamers specifically.
This campaign, which has been active since March, is believed to be the work of Russian-speaking malware developers linked to a network known as the Stargazers Ghost Network. This network utilizes various GitHub accounts to disseminate malware and harmful links through compromised repositories.
The malware masquerades as popular cheat tools, including Oringo and Taunahi. Upon execution, it initiates a multi-stage attack. The first stage involves a malicious JAR mod that requires Minecraft to be pre-installed on the victim’s device. This loader activates when the game launches and employs anti-virtual machine and anti-analysis techniques to evade detection in sandbox environments, ensuring it operates only on genuine victim machines.
If the loader successfully navigates these checks, it proceeds to the second stage: a stealer malware that captures Minecraft tokens, Microsoft account information, and data from platforms like Discord and Telegram. This second stage also downloads and executes a final stealer component, written in .NET, which transmits the stolen information to a Discord webhook, effectively sending the compromised data to a designated Discord channel.
The final malware iteration is particularly invasive, harvesting credentials from popular web browsers such as Firefox and Chromium-based options, as well as cryptocurrency wallets including Armory, AtomicWallet, BitcoinCore, and others. It also targets VPN applications like ProtonVPN and NordVPN, alongside gaming and communication platforms such as Steam, Discord, FileZilla, and Telegram. Additionally, it collects details about the infected machine and captures screenshots before relaying all gathered data back to the attackers’ Discord server.
While such attacks are undeniably malicious, they serve as a stark reminder to players: engaging in cheating can lead to unforeseen consequences, reinforcing the age-old adage that cheaters never win.