[ALERT] MC Security Threat: Adwind Malware (Daily Lootbox, EssentialsFly, PluginMetrics.jar)

Discussion in 'Server & Community Management' started by artfcl_intlgnce, May 31, 2018.

Thread Status:
Not open for further replies.
  1. Hello All,

    I wanted to give the community a heads up about something that's taken my network a couple weeks to identify and solve.

    We happen to use a Vehicles plugin, which one day out of the blue stopped working, more specifically would load, but do donuts and only go in circles. Pretty typical stuff for servers, right?

    Well, getting deeper into the investigation, on a replica server deleting all other plugin jars except Pex and Vehicles, the issue persisted. Oddly enough, another plugin appeared in /pl and /plugman list --- EssentialsFly. Referencing with a timings report, I found it was sending thousands of events, and started becoming suspicious.

    I did everything from updating essentials, working with the SavageFactions devs to see if they use EssentialsFly (they don't), and more. After a google search, I found @starnos thread ( https://minecraft-server.eu/forum/threads/was-ist-enabling-essentialsfly-v1-6-4.49413/ ) which had the same issue.

    The unfortunate news is this is a Malware, specifically identified as Adwind Malware found packaged with the PluginMetrics.jar plugin (oddly enough) - thanks to our Admin @Crimed . This malware auto replicates to all jars, so you must replace all jars to rid the issue (yes, this worked). I did NOT have to remove plugin folders, just replaced all jars with freshest official copies.

    My recommendation for you all: This is an ugly ugly Malware with zero symptoms unless you happen to use the Vehicles plugin. (https://usa.kaspersky.com/resource-center/threats/adwind)
    Do a timings report.
    Look for EssentialsFly (or any other plugin with odd hashed / obfuscated event names)
    Cross reference that your /plugins count matches your .jar count (and that nothing appears in plugins that doesnt appear as a jar)

    While I am quite busy, I do not want the rest of the Minecraft community to be affected or overtaken by this Malware, so will try to make myself open for questions. Please be proactive and check your systems. And always download your plugins from an official source.

    Peace and Love,

    Owner, NarcoWars.net

    #1 artfcl_intlgnce, May 31, 2018
    Last edited: Jun 1, 2018
    • Informative Informative x 6
    • Like Like x 4
  2. *reserved - going to add more information
    • Like Like x 1
  3. Optic_Fusion1

    Resource Staff

    Do...we need to start making anti-malware plugins or something -.-
    • Funny Funny x 2
    • Like Like x 1
    • Winner Winner x 1
    • Optimistic Optimistic x 1
  4. Not a bad idea
    • Agree Agree x 4
  5. Optic_Fusion1

    Resource Staff

  6. It is obfuscated - @Crimed has a bunch to share from his investigation and will be updating his comment above shortly
  7. Optic_Fusion1

    Resource Staff

    make sure to report the resource as infected with malware as well give them as much info as possible
  8. Its held in a jar called PluginMatrics.jar, to my understanding this jar is default with every server (Of course not the one with the virus, hopefully).
  9. Optic_Fusion1

    Resource Staff

    I just checked my dev server, no .jar called that, has to have come from a plugin
  10. Optic_Fusion1

    Resource Staff

    This makes me feel like it comes from the Vehicles plugin
  11. The source code is obfuscated, right now i am currently working on deobfuscating it. I might not finish this tonight.

    Update: The source code is obfuscated with Allatori, if anybody knows how to deobfuscate please reply!

    2nd Update: Found a java deobfuscater, will resume work tomorrow :)
    #11 Crimed, May 31, 2018
    Last edited: May 31, 2018
    • Like Like x 1
  12. So is this a vehicles issue or something everyone running a server needs to watch out for?
  13. Optic_Fusion1

    Resource Staff

    It would appear there's no PluginMetrics (or PluginMatrics).jar in a just created server, i ran a server with pex, no PluginMetrics (or PluginMatrics).jar, so i assume it's a vehicles issue
  14. I did manage to check my wife's project, and although it wasn't just created those jars were no where to be found.

    That is her permission system as well. So good news there.

    Alright thank you! Is that vehicles jar the one @Crimed found to be obfuscated with Allatori? I'm sure you folks have a lot more knowledge than I, but I would be willing to take a crack at getting that source code.
  15. Optic_Fusion1

    Resource Staff

    *shrugs* the only Vehicles plugin OP has in his recent activity that talks about this is https://www.spigotmc.org/resources/✈️vehicles-no-resourcepacks-needed.12446/
  16. Phoenix616

    Resource Staff

    This is not true, there is no PluginMatrics.jar (or PluginMetrics.jar) by default in the plugins folder. Some other resource probably downloaded this and named it after mcstats.org's PluginMetrics config folder in order to be less suspicious.

    My advice is: Don't run plugins from untrusted sources (e.g. leaked ones which should be obvious) or generally unknown ones (e.g ones a player sent you or newly submitted ones) without decompiling and checking the code and if you happen to find a malicious resource on spigot: report it and we will take a look and remove it. The main thing to always look out for are web requests. E.g. a simple fly plugin does not need to download any files beyond a simple update from a trusted source (spigot, bukkit or curseforge)

    If you want to go a step further: Don't run obfuscated resources (especially when they are free then there is no need to obfuscate and it's extremely suspicious) or only use open source resources that support a build framework like maven/gradle which makes it extremely simple to compile it yourself from the source. (after checking the source)
    #16 Phoenix616, May 31, 2018
    Last edited: May 31, 2018
    • Like Like x 4
  17. Thanks all - to be clear - it has not been identified to be from the Vehicles jar or PEX specifically -- these just proved that the virus had spread to other jars from the origianl server. A fresh VM with all new Spigot jars (with everything else the same - except pluginmetrics folder) did resolve the issue. (Note: First attempt at replacing Jars on existing multicraft user brought the virus back - I needed to create new multicraft server, with new user (servername.id), and `chown`d the new directory.

    While I do not download suspicious plugins (all come from Spigot or Bukkit), I like your Idea (@Phoenix616 ) to not run obfuscated plugins in general. I will inform my staff to use this as a best practice moving forward. They hid the virus files in the PluginMetrics folder, and it did generate a fake PluginMetrics.jar - thank you for the clarification Phoenix! That's another good thing to check for this - if their servers have a PluginMetrics.jar that should be deemed suspicious - agree?

    #17 artfcl_intlgnce, May 31, 2018
    Last edited: Jun 1, 2018
    • Like Like x 1
  18. At this time we do believe the source of the virus is Daily Lootbox, it is obfuscated code just like the virus. Uses the same obfuscator named Allatori. I would like to ask the Moderators/Admins to take action as this plugin is fatal to any server big or small. I have Deobfuscated as much as i can of the file. You can download the file below. I have renamed the file extension to jar.disabled to keep it safe. Keep in mind not to use this one your server as it will spread the virus onto any other jar in the directory...

    Download Here File Name: "Daily_Lootbox_DeobfuscatedV2.jar.disabled"

    • Winner Winner x 1
    • Informative Informative x 1
  19. It is CONFIRMED as Daily Lootbox as crimed mentioned written by MALWARE WRITER -> @XjvmcodeX <-
    The Plugin.YML of the decompiled plugin name is ESSENTIALSFLY -- the same 'plugin without a jar' identified as the Malware. (thanks to @Scarsz )
    Plugin using these malicious datagram methods: https://hastebin.com/uyupucepad.xml
    Spigot Staff --> PLEASE look into this!
    The plugin has been tracked down to - http://studiocode.de/ -- their DISCORD is on there, and they have a Discord Bot tracking the connected servers the malware is running on, and even their youtube - https://www.youtube.com/channel/UCOFbtJGP7j6k7MSGBzhIZLA

    PS thank you to Lag Monitor for catching and logging the suspicious activity to the logs - it is how we were able to track this down. I owe you @games647 !
    #20 artfcl_intlgnce, Jun 1, 2018
    Last edited: Jun 1, 2018
    • Informative Informative x 2
    • Like Like x 1
Thread Status:
Not open for further replies.