Java: Minecraft Mod file used as Loader for Payload

I've recently been targeted via Discord by a threat actor that tried to make me load a Minecraft Mod that he linked via chat. Actor displayed multiple threat vectors in a well organized scheme mixing social engineering, discord features and low-security Minecraft Bedrock java runtime to hack and steal information from victims.

The full brief report I made:

Context

During the execution of a Fabric-based Minecraft mod (.jar), a Java file was identified by Bitdefender antivirus as Trojan.Generic. The detection occurred at the moment of execution, suggesting suspicious dynamic behavior.

Given the context and nature of the alert, a manual investigation was initiated to assess:

possible system impacts
persistence
data exfiltration
vectors that could have gone unnoticed by automated analyses

Summary timeline

Java mod execution in Windows environment
Immediate detection by Bitdefender (Trojan.Generic)
Execution terminated
Revocation of active sessions (Google and connected applications)
Full scan execution via Bitdefender (rescue environment)
No additional threats related to the incident were found
Beginning of manual and forensic analysis

Initial containment measures

The following actions were taken immediately after detection:

Full system scan via Bitdefender
Review of Windows events (System and Application)
Review of Windows task scheduler
Revocation of active sessions for critical services
System binary integrity verification
Installed browser integrity verification
Static analysis of the Java code involved

Static analysis of Java code (Minecraft Mod)

The Java file was analyzed without execution, using decompilation.

Origin of the mod .jar file: https://echovoice_chat/ (obfuscated link to prevent accidental click)

Observed behavior

The code presents:

Minimal implementation to simulate a legitimate mod with headers and message indicating mod loading
Enumeration of Java versions and types on the system
Use of Fabric API classes ( https://fabricmc.net/ )
Java temporary folder verification
Logic for downloading a payload via Dropbox (unidentified)

The external payload was not downloaded or executed during the analysis due to lack of a suitable environment.

Relevant observations

The behavior clearly indicates a loader / stager
The actual functionality seems to reside in the external payload
The code performs environment validations before proceeding
In the malicious Java file class names there is a string mentioning the name "akita".

Second Vector - Discord Activity

Another vector used by the actor was the Discord activity panel, where he showed he was playing a game that had not been released, called "Light of Motiram".

The actor generated a custom activity status as if he was playing Light of Motiram and with a "Play" button, where he asked the victim to click to be able to play with him. The "Play" button URL led to a malicious website, which tried to impersonate the game's official website, asking for registration data to play (phishing).

Malicious website URL: https://ligthofmotiram_com/ (obfuscated link to prevent accidental click)

Conclusion

Given the loader executed in a dynamic environment and with Bitdefender identification at runtime, there are no indications of persistence generated by the execution or payload download on the system. Bitdefender appears to have successfully prevented complete execution shortly after identifying the suspicious activity.

I found very important to share this, as this looks like something that would be very efficient with kids. One more argument for a strict parental access control.

Find more posts tagged with

Comments

Bonfire9911

If you still have the .jar file, would you upload it to VirusTotal and post the link?

Gjoksi

I already did that:

https://www.virustotal.com/gui/file/173ed6a47ed8c34264e1ad8c720b7ce645120cfd194d3c98625ddc937474f6a8

myth

Nice, Gjoksi already did it, and same result I got when I analysed it. Also when I decompiled the .jar, I found a dropbox link, which downloaded the payload. I did not get far analysing the payload itsef, as I don't have a good enough setup to do it. I can post the dropbox link here if you want, but I didn't want to since is probably a direct link to a Trojan.

Gjoksi

Hello.

I already reported the files / URLs as false negative to Bitdefender Labs.

URL No. 1: [FN] [URL] Submission 1010925324

URL No. 2: [FN] [URL] Submission 1010925312

EchoVoiceBeta-1.0.0.jar: Your request was successfully sent! (I didn't get a confirmation e-mail)

Fabric FIX: [FN] [URL] Submission 1010925380 (The file was over 25 MB, so i reported the file download link)

Regards.

myth

Thank you a lot Gjoksi, in the past days I also reported the URLs to Google and Cloudflare, trying to get the DNS down. But I wasn't able to identify the hosting.

Bonfire9911

I found it interesting that the execution was stopped by BD on your system but is not flagged on VT. I personally don't think it would work against just kids, but against any naive gamers as well.

myth

To be fair, I checked a lot of things because I wasn't sure if BD really fully contained it, but I also couldn't find anything suspicious on the system. And at first when I received the file, VT also didn't suspect anything, but then looking at VT detailed analysis today there's a bunch of suspicious strings and executions in my perspective.

Gjoksi

Hello again.

Regards.