Fake Minecraft Mods Infect 116K Systems With WeedHack Malware
When players are interested in running mods they’ll typically use a search engine to find something that appeals to them. Attackers are leveraging this behavior to spread their malicious software by conducting SEO poisoning, where they’ll specifically seek mods that only have a presence on GitHub and then set up a web page masquerading as the official site for the mod. Some of the projects that have been targeted include Meteor Client, Radium Client, Wurst Client, Aristois, LiquidBounce and Impact Client.
YouTube is another popular way for players to find mods that might interest them, and attackers are taking advantage of this, too. Polished videos that eschew AI generated elements give a sense of legitimacy to viewers, with the comments section serving as a way for attackers to guide others through the process of installing the malware or suggesting that the Windows security alerts are "normal." Meanwhile, the description section of the video will contain a link to the attacker-controlled site.
There are two tiers available for malicious actors, including a free tier and a premium tier. The free tier enables attackers to steal cookies and passwords from web browsers, target both browser-based and desktop app crypto wallets, capture screenshots, and lift credentials from Discord, Telegram and Steam. Starting at $5 a month, attackers gain the ability to control a victim’s webcam, conduct keylogging and perform reverse shell execution.
It’s incredibly concerning to see such potent malware be distributed for free or with such a low monthly cost, making the barrier to entry low and appealing to a wide range of attackers. Minecraft users should exercise caution when looking for mods to install.
