- Check Point Research finds hundreds of malicious GitHub repositories
- These impersonate different mods or cheats for Minecraft
- The infostealers grab Minecraft data, as well as browser and crypto wallet information
Minecraft players are being actively targeted by a group of cybercriminals interested in their login credentials, authentication tokens, and crypto wallet information, experts have warned.
Cybersecurity researchers Check Point Research recently discovered the large-scale operation, run by a group called the Stargazers Ghost Network, a distribution-as-a-service (DaaS) operation active for a year now, distributing malware and infostealers on behalf of other cybercriminals.
In this campaign, the crooks abused the fact that Minecraft is one of the largest games in the world, with an active, thriving community of players and modders. Minecraft mods are player-built additions to the game and as per the researchers, there are more than a million modders out there.
Hundreds of repos
The attackers created malicious GitHub repositories, spoofing legitimate mods, and pretending to be cheats: Skyblock Extras, Polar Client, FunnyMap, Oringo, and Taunahi, are just some of the names making rounds.
CheckPoint says these have had thousands of views on Pastebin, suggesting that the campaign is rather successful.
To make matters worse, since these are custom-built to target Minecraft users, and since both the downloader and the malware are written in Java, they are currently going undetected by all antivirus engines.
“We have identified approximately 500 GitHub repositories, including those that are forked or copied, which were part of this operation aimed at Minecraft players,” one of the researchers told BleepingComputer.
“We’ve also seen 700 stars produced by approximately 70 accounts.” Stars are used to boost the legitimacy of the repositories, thus improving the chances of infection.
The attack is split into two phases. The first phase targets Minecraft account tokens, and user data from both the Minecraft launcher, and some third-party launchers. It also steals Discord and Telegram information.
The second stage deploys a more “traditional” infostealer called “44 Caliber”, which steals browser data, VPN information, crypto wallet data, and more.
