Skip to content
/ minegrief Public

Self-spreading Java malware targeting Minecraft servers. Infected servers are capable of scanning for other vulnerable servers, encrypting Minecraft worlds, and phishing players who connect.

License

MIT license
10 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

chebuya/minegrief

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits
agent
agent
 
 
client
client
 
 
server
server
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
top-asn.csv
top-asn.csv
 
 

Repository files navigation

Minegrief

Submission for vxunderground JVM malware contest minegrief

https://github.com/blackmassgroup/minegrief

minegrief

FeaturesNotesTargeting

Features

Self-spreading to other Minecraft servers using an extendable, module-based lateral movement system.

  • Crafty Controller Auth'd RCE - undisclosed, unpatched, intentional(?) Auth'd RCE in Crafty Controller, a panel for Minecraft server management (https://craftycontrol.com/). Check for default creds of admin:crafty or brute force.
  • SSH brute forcing - Classic SSH brute forcing, Minegrief will copy itself over SCP and execute itself if a login is successful

Persistence/stealth by "infecting" the Minecraft server jar file via manifest entry point modification (https://docs.oracle.com/javase/tutorial/deployment/jar/manifestindex.html)

Encrypt Minecraft worlds and demand a Minecoin ransom.

encrypt.mp4

Phish connecting Minecraft players.

phish.mp4

Centralized command and control for system-level control of infected servers.

c2.mp4

Extendable transport system, allowing for the creation of customized C2 channels.

Works on Java 8 and above.

Notes

Lateral movement modules require minegriefagent to be built as a jar file, as modules will copy itself over in a jar to spread.

To build the agent jarfile

Download jsch to the root directory of the repository

wget https://repo1.maven.org/maven2/com/github/mwiede/jsch/0.2.17/jsch-0.2.17.jar
unzip jsch-0.2.17.jar

Run this from the root of the repository

rm -rf build-manual
mkdir build-manual
find agent -name '*.java' > sources.txt
<JAVA 1.8 DIR>/bin/javac -d build-manual @sources.txt
cp -r com/jcraft build-manual/com
echo 'Manifest-Version: 1.0\nMain-Class: net.minecraft.bundler.Backdoor\nBundler-Format: 1.0' > manifest.txt
<JAVA 1.8 DIR>/bin/jar cvfm malware.jar manifest.txt -C build-manual .

Run it

<JAVA 1.8 DIR>/bin/java -jar malware.jar

To build the server jarfile

Run this from the root of the repository

rm -rf build-manual
mkdir build-manual
find server -name '*.java' > sources.txt
<JAVA 1.8 DIR>/bin/javac -d build-manual @sources.txt
echo 'Manifest-Version: 1.0\nMain-Class: com.chebuya.minegriefserver.Main\nBundler-Format: 1.0' > manifest.txt
<JAVA 1.8 DIR>/bin/jar cvfm c2-server.jar manifest.txt -C build-manual .

Run it

<JAVA 1.8 DIR>/bin/java -jar c2-server.jar

Targeting

Minecraft servers will always have Java installed so we don't have to worry about installing it ourselves.

Infected servers will receive CIDR blocks to scan from the C2. Certain ASNs have a higher frequency of Minecraft servers (ex: Digital Ocean ASNs). I have scraped shodan/censys to find these ASNs, the data is here

minegrief is made with 🖤 by @_chebuya and distributed under the MIT license.

About

Self-spreading Java malware targeting Minecraft servers. Infected servers are capable of scanning for other vulnerable servers, encrypting Minecraft worlds, and phishing players who connect.

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

3 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages