Jump to content
  • Microsoft warns of new Minecraft DDoS malware infecting Windows, Linux

    alf9872000

    • 507 views
    • 4 minutes
     Share


    • 507 views
    • 4 minutes

    A new cross-platform malware botnet named 'MCCrash' is infecting Windows, Linux, and IoT devices to conduct distributed denial of service attacks on Minecraft servers.

     

    The botnet was discovered by Microsoft's Threat Intelligence team, who report that once it infects a device, it can self-spread to other systems on the network by brute-forcing SSH credentials.

     

    "Our analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using crafted packets, most likely as a service sold on forums or darknet sites," explains the new report by Microsoft.

     

    Currently, most of the devices infected by MCCrash are located in Russia, but there are also victims in Mexico, Italy, India, Kazakhstan, and Singapore.

     

    heatmap-botnet.png

    MCCrash victims heatmap (Microsoft)

     

    Minecraft servers are often targets of DDoS attacks, whether to grief players on the server or as part of an extortion demand.

     

    In October 2022, Cloudflare reported mitigating a record-breaking 2.5 Tbbs DDoS attack targeting Wynncraft, one of the largest Minecraft servers in the world.

    Starts with pirated software

    Microsoft says that devices are initially infected with MCCrash after users install fake Windows product activator tools and trojanized Microsoft Office license activators (KMS tools).

     

    The cracking tools contain malicious PowerShell code that downloads a file named 'svchosts.exe,' which launches 'malicious.py,' the primary botnet payload.

     

    mccrash-python.jpg

    Attack methods in malicious.py script
    Source: BleepingComputer

     

    MCCrash then attempts to spread to other devices on the network by performing brute-force SSH attacks on IoT and Linux devices. 

     

    "The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices.

     

    Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet.

     

    The botnet’s spreading mechanism makes it a unique threat, because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet." - Microsoft.

     

    The malicious Python file can run on both Windows and Linux environments. Upon the first launch, it establishes a TCP communication channel with the C2 over port 4676 and sends basic host information, like what system it’s running on.

     

    On Windows, MCCrash establishes persistence by adding a Registry value to the "Software\Microsoft\Windows\CurrentVersion\Run" key, with the executable as its value.

     

    infection-chain(6).png
    The botnet's infection and attack chain (Microsoft)

    Attacking Minecraft servers

    The botnet receives encrypted commands from the C2 server based on the OS type identified in the initial communication.

     

    The C2 will then send one of the following commands back to the infected MCCrash device to execute:

     

    commands.png

    Commands the C2 sends to MCCrash (Microsoft)

     

    Most of the above commands specialize in DDoS attacks on Minecraft servers, with ‘ATTACK_MCCRASH’ being the most notable due to using a novel method to crash the target server.

     

    According to Microsoft, threat actors created the botnet to target Minecraft server version 1.12.2, but all server versions from 1.7.2 and up to 1.18.2 are also vulnerable to attacks.

     

    minecraft-versions.png

    Minecraft server version market share (Microsoft)

     

    Version 1.19, released in 2022, isn’t impacted by the current implementation of the ATTACK_MCCRASH, ATTACK_[MCBOT|MINE], and ATTACK_MCDATA commands.

     

    Still, a considerable number of Minecraft servers are running on older versions, most of them located in the United States, Germany, and France.

     

    server-distribution.png

    Vulnerable Minecraft server distribution (Microsoft)

     

    “The unique ability of this threat to utilize IoT devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected,” comments Microsoft.

     

    To protect your IoT devices from botnets, keep their firmware up to date, change default credentials with a strong (long) password, and disable SSH connections if they’re not needed.

     

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...