Be careful! Compromised spigot accounts might be posting plugin updates with malware

Discussion in 'Spigot Discussion' started by Rektb, Mar 22, 2021.

  1. When I was running my server at home under Windows 7, I set it up with a normal user account which could not access other files. It meant I couldn't see the console while using the same PC as another user, but hell, I wouldn't do it any other way.

    Now I use a hosting service so it's their problem.
     
  2. @DanSeb2000 got sent threats via Telegram, supposedly by the dude himself, he can tell the details
     
  3. #44 Janmm14, Mar 26, 2021
    Last edited: Mar 26, 2021
  4. This is pretty spooky, to be 100% safe, all affected users should completely reinstall their systems without the jars.

    Please spam the broadcasts as much as you can, this guy can just pop in into any affected server and do a lot of damage. Thank you for already disrupting the C&C center and the bot, this will make it a bit harder for him to get information or control.

    Yep, he will be trying his best to get a step ahead of us, so don't comment anything that could be useful for him here.

    And thank your for making him mad, I had a good laugh.
     
  5. Huh, I hope xenforo doesn't have a vulnerability or staff accounts are comrpomised. If you have that user's last IP you might be able to get more info about the attacker.
     
  6. I cannot spam any more broadcasts as the C&C is down. I spammed them on May 24 for a couple hours, and only to recently started servers, then he started shutting his C&C down, and he started with my ability to send commands.
     
    #47 Janmm14, Mar 26, 2021
    Last edited: Mar 26, 2021
    • Like Like x 1
  7. In addition to this.

    The threats where that I ruined his(?) job, a lot of f* u, trying to call me using a fake telegram account, and finnaly that don't try to ghost him.
    I laughed a lot in that moment, trying to threaten me 'cause I revealed his malware/bad intentions sure was a good joke
     
    • Funny Funny x 1
  8. Yeah i was called "little piece of cum" on telegram (i was able to join the C&C telegram chat, thats how he found me)
    he also wrote to me "all my work ruined by you fucker" and other similar dumb stuff
     
    • Funny Funny x 3
  9. Optic_Fusion1

    Resource Staff

    should be "fuckers" xD
     
  10. #51 Janmm14, Mar 27, 2021
    Last edited: Mar 27, 2021
  11. Thank you spigot staff for just removing them from the site so quickly.
     
  12. Optic_Fusion1

    Resource Staff

    err, well since they were reported.
    Either we were just lucky or someone's paying more attention to the report queue
     
  13. This is not over.
    The hacker has evolved its malware. Now it is using telegram and a raw socket connection. After I've slept, I'll deobfuscate the stuff and look for potential abusable stuff.
    Also the old telegram channel got revived by him, but well, he'll have much fun with me spamming the old one again at least. Might be a bit harder to fake victims with that raw socket connection, however I'm positive that there's something I can do to mess with him apart from warning.

    Edit: Another old-style malware plugin:
    https://www.spigotmc.org/resources/☯-kits-manager-☯-gui-☯-works-alone-or-essentials-cmi-☯-mysql-☯-commands-kit-☯-menu-free-☯-add-kits-c.88032/
    Edit 2: Another old-style malware plugin:
    https://www.spigotmc.org/resources/...cks-or-head-free-gratis-command-prizes.87636/

    Edit 3: Another one:
    https://www.spigotmc.org/resources/...abilities-but-either-skills-1-8-1-16-4.87658/

    To spigotmc staff: All resources I list here are also reported with the report button. When deleting, please do not forget to notify downloaders.
     
    #56 Janmm14, Apr 5, 2021
    Last edited: Apr 6, 2021
    • Useful Useful x 1
  14. Quick update

    Remember the facebook I mentioned before?
    [​IMG]

    Someone with the same surname viewed my profile on linked in
    upload_2021-4-8_17-9-9.png

    He's from Romania, just like the attacker
    upload_2021-4-8_17-9-33.png


    This looks like it might get somewhere.
    I will be documenting all of this in my personal blog.
     
    • Informative Informative x 1
  15. who uses facebook anyways isn't facebook malware already.
     
    • Agree Agree x 1
    • Funny Funny x 1
    • Optimistic Optimistic x 1
  16. I cringe so hard, every time I see someone with this kind of avatar and Facebook art. so edgy.
     
    • Agree Agree x 2
  17. In my experience, spamming these less-sophisticated actors has been pretty effective. I'd definitely be interested in reverse-engineering one of the malicious plugins