RealHD

Those of you that would like to see a DETAILED document including steps taken and full results can do so here: drive.google.com/file/d/1TIixF_… Those that would like more info regarding the actual files must send me a message. I will NOT be giving these files out to anyone who asks, you must tell me who you are, what you plan to do with them, and provide proof you are a legitimate researcher or security professional. If you were affected by this modpack, follow the remediation steps in the document immediately, especially check your email filter rules for anything you did not create.

@Westleys_Minion I was not able to sadly

@Purified_HD how did you decompile the .exe? i got as far as decompiling the mod itself but couldnt manage to get any further

So a friend of mine got hacked through a fake Minecraft modpack on CurseForge called "Better Survival Mods" by an author named "kwwn". I spent the day tracing it back and here is what I found. The modpack zip had a fake Fabric mod hidden in the overrides folder called...

@FakeEma72350095 When a file is named something like javaw.exe and has no digital signature, malwarebytes knows its a sus file

@Purified_HD Really weird dumb question, but how would malwarebytes know that its malicious? Don’t things have to be reported to them for them to detect?

@HaruIsNotADog of course :>

@Purified_HD thank you for the report. It was very comprehensive

Those of you that would like to see a DETAILED document including steps taken and full results can do so here: drive.google.com/file/d/1TIixF_… Those that would like more info regarding the actual files must send me a message. I will NOT be giving these files out to anyone who asks, you must tell me who you are, what you plan to do with them, and provide proof you are a legitimate researcher or security professional. If you were affected by this modpack, follow the remediation steps in the document immediately, especially check your email filter rules for anything you did not create.

@CPUGenius11 they messed with my friends :/ they get spicy HD

@Purified_HD Bro took it personally (well done)

@Mh1rir I have reported it to like 4 different agencies by now. They fucked with my people I don't care about morals anymore LUL

@Purified_HD hey @Purified_HD You can also report him on the Brazilian Federal Police website. They can solve things much faster here in my country than the FBI. apps.pf.gov.br/r/comunicapf/c…

@xikitng1 Yes, you are fine if you didn't download the modpack and launch it.

@Purified_HD am i safe if I didn't download modpacks

@DeniiPacco Yeah its all the same, they use the overrides folder to inject that mod, the moment you launch Minecraft then that exe runs.

@Purified_HD yep uh. i think i fell for something very similar to this?? modpack name + server they told me to go was called SeoCraft and was also for Fabric, did use Modrinth to run it. whoops

@SharkgirlSammy By all means, DMs are open :)

@Purified_HD Hey, I'm gunna send you a DM about this if that is okay?

x.com/Purified_HD/st… Full documentation of this Malware can be found in my newest post

I will be posting a full report on my page in a moment.

@HaruIsNotADog @discord_support Adding that to the report thank you!

@Purified_HD @discord_support I did. Also put this into your information. The hacker has information on chrome through session tokens. Its listed under Turkey. They will add tags to certain email addresses and mute incoming emails. Its why the victims dont get notified for changes made to their account.

@prolxzket Just opened them

@Purified_HD Sure thing. How can i reach out to you? Your dms are closed

@KenleyCheung Feel free to reach out in DMs and I would be happy to.

@Purified_HD Would you be able to share IOCs associated with this threat actor?

@CalickLive The JAR was hosted in the overrides folder. From there when you inject it, the jar then opens to "install" itself into the mod pack. When it opens it completes the payload

@Purified_HD how could you tell that the mod was fake in the modpack? did you have to check them all manually?

@AvelineMelena All saved google passwords and session tokens to bypass 2FA

@Purified_HD But what got hacked exactly ?

@ArtOfEaglebrace no, this was a zip that was uploaded. When they uploaded it the overrides dir had a jar in it that was infected.

@Purified_HD Thats interesting to hear, so this is one of those slip-trough fuckers that by passes curseforge detector. Have you reached out to any moderation on curseforge for take down? does this invidual have any other ''project'' at their hands that would be good to know about?

@prolxzket I have all of that info already. If you want you can reach out and I can give you the info.

@Purified_HD plsss send the malware to me, ive been looking for this all day. Also, it would be nice to include some IOCs next time, like the file hash and stuff like that

@Brainslime2 They were given a zip and told to upload it. upon doing so there was a jar which on open executed a download order on an .exe from drop box then slept for about 10-15 seconds then ran the .exe, was targeted towards google saved passwords

@Purified_HD was the friend just given a zip or was this mod actually hosted on curse

@HaruIsNotADog @discord_support best of luck, if you haven't already install Malwarebytes and run it. if you cant get to their website then your PC is still infected.

@Purified_HD @discord_support Ill check them out. Im willing to try anything