Be careful! Compromised spigot accounts might be posting plugin updates with malware

Discussion in 'Spigot Discussion' started by Rektb, Mar 22, 2021.

  1. You might be able to download them still with

    The reverse engineering I do is mostly just handling the obfuscation.
    Here's a brief summary of my actions:

    I have privately started editing java-deobfuscator a couple years ago (before it was using java-vm project partly) and improved the executor emulation with more capabilities (back then the executor was not completely aware of fields having different objects for example) and bugfixes and also wrote custom transformers when I got something I wanted deobfuscated what the original project could not handle.

    I took a look at the obfuscation, used my own already created transformer, which handled string decryption of superblaubeere-obfuscation-style, and edited it slightly to handle the obfuscation. (I maybe could've just used original superblaubeeretransformer, but I didn't attempt that at that point)
    That got some parts already, but there was another manual obfuscation layer which had its setup in onEnable and not in static class initializer block.
    So I emulated execution of the onEnable. That led me to the first telegram url which result got parsed to another part of the decryption key. As the emulator for security reasons doesnt allow url opening (and I didnt want to edit emulation of IOStreams), I programmed editing of onEnable bytecode to skip certain bytecode ranges like url getting & reading and other plugin setup stuff and inserted the result string manually. Then deobfuscation was done and I just had to use a decompiler (i used helios-decompiler with krakafau and pypy).
    Then I started messing with the telegram access I got.
    #61 Janmm14, Apr 9, 2021
    Last edited: Apr 9, 2021
    • Like Like x 1
  2. Thank you! I will be carefull!
  3. Reminder that everyone affected by this needs to rebuild all of their systems from scratch - wipe your server's drives, redownload all plugin & server jars fresh, etc. If malware is just doing set actions built into the malware itself (not fetching commands remotely), i.e. opening ports to an MC server, you can get away (still not ideal) with just rectifying the changes and removing the malware. If a backdoor is involved (like @Optic_Fusion1 has shown us there is), then you need to rebuild from scratch. The process generally goes:
    1. Preparation: If you planned for this, great! If you didn't, well, make sure you do it next time.
    2. Identification: If you're reading this I'm assuming you know whether or not you have the malware, but running Optic_Fusion1's malware scanner will let you know
    3. Containment: If you have multiple dedicated servers etc where the malware could spread between, firewall off the infected ones to stop the malware being able to spread if it hasn't yet
    4. Eradication: Wipe your server.
    5. Recovery: Monitoring etc, ensuring the threat hasn't returned. In an enterprise environment, you'd typically be watching an IDS / other logs.
    6. Lessons learned: You're probably going to want to plan for this to happen again if you didn't have a plan in the first place. You're probably going to want to implement increased monitoring, internal firewalls between your servers, etc.
  4. Fuck. I had nametaghide. I deleted my server and quit a long time ago but im not feeling confident.
    Anyways, another plugin that seems malocious is "me and do" 2 simple commands with 20 classes in total.
    Be careful!
  5. It doesn't have 20 classes, it has 8 (+ 8 inner classes). However it is still a malicious plugin. It is obfuscated and allows 3 hardcoded people (by name) to execute special commands that can screw with the minecraft server (no linux / file access though), like ;op, ;offserver, ;stop <plugin>
  6. Did u decompile it?
  7. I did download, deobfuscate (in that case it was simply running the tool and done) and decompile it. And then I reported it on spigotmc and also left a note for Optic_Fusion1 on his discord.
  8. they removed it on Github but it was 20 classes. I swear there were so many packages and classes
  9. The github is still online ( ) and had nothing to do with the plugin jar you got on spigotmc. It was actually a bad hologram plugin probably only made as a decoy to deliver the backdoor.
    #69 Janmm14, Apr 11, 2021
    Last edited: Apr 11, 2021
  10. ph i'm so confused. ig...
  11. This applies to all plugins: The Github source is not necessarily what's in the jar file you download from Spigot.
  12. The only way to make sure you get what's on github is to compile it yourself.
  13. VQ9


    Does this infect things outside docker containers?
  14. I don't think so, unless you give them root privilege.
  15. Since there's a backdoor in the plugin, you don't know what it does. You have 2 threats here:
    • Docker isn't true isolation: it's much easier for an attacker to escape from a Docker container than a proper VM, by design. Docker has its privesc vulnerabilities every now and then - do you keep Docker up to date? It's unlikely that the attacker used a zero day, but it's a possibility still.
    • Unless you had a very strict firewall on outbound & internal traffic, they're behind your firewall. They can read your database credentials from a config file and connect, because your inbound firewall is now useless. They can access whatever other services you have running and try and pivot from there.
  16. New threat are fake log messages. How they can appear in your console is not disclsoed for now, I want to give spigotmc a couple days to fix this before disclosing.
    Example fake log message:
    Code (Text):
    [ALERT 73] Download this plugin to fix this NTE Kick issue:
    Care, the link is an iplogger, redirecting to a download of a malicious backdoor plugin with identical characteristics to the telegram malware originally discussed in here. I'm positive that this threat is coming from the same person.
  17. Another case of this:
  18. Can you report that to the abuse contact for the hosting provider or, if home hosted, the abuse contact for the ISP?
  19. There's a button to report the file - it's just on a file sharing site
  20. That new version of the malware creates also a linux user account named "kernel" with a static password, sudo rights, ssh login rights etc.