====
目前较为详细的一手消息记录 https://hackmd.io/@jaskarth4/B1gaTOaU2
====
简而言之,几个小时前,Curseforge或者是某些Courseforge账号已经证实被攻击,包括BetterMC在内的模组(包)被植入恶意程序。恶意程序已被观察到会攻击Linux系统,也不排除(有文件下载)会攻击Windows系统。
已存在一些方法排查是否电脑已经被攻击(见下面的b站链接)。目前尚不清楚攻击具体是什么时候发生的,建议排查时间至少推前1month
(高考考生的话这几天关闭计算机/服务器即可,java恶意程序在关机下做不到什么的,不用担心,专心考试。)
We have reason to believe Curseforge, or at least many accounts on Curseforge, have been hacked and are uploading malicious files containing bot-nets. Luna Pixel Studios, the owner of many big modpacks, is one of the affected accounts.
The situation is being actively looked into.
(oh yeah Iris for 1.20 tomorrow)
Chorb, admin for Luna Pixel studios:
Hi, LPS dev here, would like to clear up a few things:
As of a couple hours ago, tens of mods & modpacks, mostly on 1.16.5, 1.18.2 and 1.19.2 have been updated to include malicious files. These projects include When Dungeons Arise, Sky Villages, and the Better MC modpack series. The Curseforge profile of these accounts show someone logging into them directly.
It is very likely that someone has access to several large Curseforge profiles and have found a way of bypassing 2FA to log into them.
You can see here that the Fabulously Optimized team was also affected: https://cdn.discordapp.com/attachments/790275974503202857/1115801834746023946/image.png
One of the malicious mods, DungeonsX, shows this code when decompiled: https://cdn.discordapp.com/attachments/790275974503202857/1115801511411335228/image.png
The main payload being sent from this code can be viewed here: https://pastebin.com/k2ZQKbEz
The DungeonsX mod downloads a java class and loads it into Minecraft, executes a function that downloads the program again, and saves it as a self running file. This mod has been added to all of Luna Pixel Studio's modpacks, and the files were immediately archived by the bad actor. It can be assumed that these files will become available again later, exposing hundreds of thousands of people to malware.
This code allows the mod to be used as a botnet and leave a backdoor on devices: https://chorb.is-from.space/DiscordPTB_gzDJsWklzc.png
The code being executed mainly targets Linux users, likely with the intent of infecting servers. This will still affect people on Windows.
详细介绍&排查方式 参考
https://www.bilibili.com/video/BV1P14y1Q71h
https://www.bilibili.com/read/mobile/24184930
手机编辑的真是累死了