Better MC (Modpack Series)
Better MC modpacks compromised with Fracturiser malware
The CurseForge account for 'Luna Pixel Studios', creators of the very popular 'Better MC' modpack series, was compromised. Attackers uploaded malicious versions of the modpacks (e.g., BMC3 for Forge 1.19.2). These modpacks either directly contained or pulled in dependencies infected with the 'Fracturiser' malware, leading to credential theft (Discord, Microsoft, Minecraft) and further malware propagation on users' systems.
- Date
- 2023-06-01 to 2023-06-08
- Category
- Open Source
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Data Exfiltration
- Cause
- Compromised Account/Credentials
What Was Affected
Package
Better MC (Modpack Series)
LanguageJava
ComponentGame
Artifact typesource archive
Domain typepackage host
Domain
curseforge.com
Compromised Versions
- Better MC [Forge] - BMC3 v18
- Better MC [Forge] - BMC2 v7
- Better MC [FABRIC] v10
Incident Context
- Motive
- Credential Theft
- Attribution
- Cybercriminal Gang
- Transitive
- No
- Observed Duration
- 7 days
Evidence
Compromised Artifacts
- curseforge.com/minecraft/modpacks/better-mc-forge/files/4477460
- curseforge.com/minecraft/modpacks/better-mc-forge
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha1:dc43c4685c3f47808ac207d1667cc1eb915b2d82sha1:52d08736543a240b0cbbbf2da03691ae525bb119sha1:6ec85c8112c25abe4a71998eb32480d266408863sha1:c2d0c87a1fe99e3c44a52c48d8bcf65a67b3e9a5sha1:e299bf5a025f5c3fff45d017c3c2f467fa599915
External References
- support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool-and-report
- bleepingcomputer.com/news/security/new-fractureiser-malware-used-curseforge-minecraft-mods-to-infect-windows-linux
- reddit.com/r/feedthebeast/comments/142zxka/some_curseforge_accounts_might_be
- raw.githubusercontent.com/fractureiser-investigation/fractureiser/main/docs/tech.md
Source Data
Source record: oss/better-mc/meta.yaml