First We Mine, Then We Hack

Security researchers recently discovered a malware campaign targeting users of the popular video game Minecraft. The campaign uses GitHub repositories to push out malicious loaders disguised as legitimate Minecraft mods, which are modifications or new content created by users to enhance the original game. Once the malicious file is downloaded, it installs infostealers to gather user credentials, authentication tokens, cryptocurrency wallets, and other sensitive information from the infected system.
 

What’s Notable and Unique

• The campaign is being conducted by the “Stargazers Ghost Network,” a distribution-as-a-service operation leveraging GitHub repositories inflated by fake GitHub stars to make the repository appear more legitimate. Additionally, the malware disguised as Minecraft mods is written in Java and is not detected by antivirus engines.
• Researchers estimate that over 1,500 users have already been infected with the malware. Minecraft is currently the best-selling video game to date, with over 350 million copies sold, of which over a million users actively use Minecraft mods.

 

Analyst Comments

This Minecraft mod campaign illustrates the creative avenues cybercriminals use to spread malware via seemingly legitimate platforms. Although the campaign specifically targets Minecraft gamers, the videogame community is extremely large and diverse, and it is worth noting that developers and privileged users within companies can also be gamers. Additionally, while not best practice, it is not uncommon for individuals to reuse the same credentials for work and personal accounts. As with any third-party software, it is important that users verify the legitimacy of sites before downloading content, even from popular platforms such as GitHub.
 

Sources

Fake Minecraft mods distributed by the Stargazers Ghost Network to steal gamers’ data