A large-scale malware campaign dubbed WeedHack is targeting Minecraft players and has infected more than 116,000 systems since January.
The malware is distributed through Minecraft-related malicious mods, clients, cheats, and utilities that are promoted over YouTube and SEO (search engine optimization) poisoning.
WeedHack works as a malware-as-a-service (MaaS) infostealer operation that offers a dashboard for customers to see stolen credentials and information on compromised systems.
Telemetry data from cybersecurity company McAfee shows that WeedHack has impacted 116,464 systems, averaging between 2,000 and 3,000 infections every day. Most victims are in the United States, Germany, India, and the UK.
The scale of the operation is reflected in the more than 240 distribution URLs and 3,820 unique malicious JAR files.
WeedHack malware distribution
In a report today, McAfee researchers say that the WeedHack campaign reaches victims mainly through YouTube videos showcasing Minecraft-related tools and SEO poisoning promoting them.
On the video platform, the attacker drops download links in descriptions and comments. Some of the videos are well-made, featuring voice-over narration for authenticity, and have accumulated more than 7,500 views.
YouTube video promoting malicious Minecraft mods Source: McAfee
The SEO poisoning distribution method targets keywords that correspond to clients: Meteor Client, Radium Client, Wurst Client, Aristois, LiquidBounce, Impact Client, Future Client, Inertia Client, Cornos Client, WWE Client, 3arthh4ck, Salhack, Phobos, and Gamesense.
McAfee explains that many of those projects do not have official websites, only GitHub pages.
Malware-distributing site Source: McAfee
In one case highlighted in the report, the malicious website displays a security notice warning visitors that they should only download ‘Skytils’ from the official site.
It is even linking to the project’s legitimate GitHub repository and Discord server to create a strong, false sense of legitimacy for the fake website.
Malicious site warning of fake Minecraft mods Source: McAfee
MaaS operation
The WeedHack malware platform is hosted on the clear net and provides access to anyone for free, which is very unusual for infostealer operations.
Users are given access to a dashboard that shows an overview of their victims, infected system profiles, stolen data, and a payload builder for Minecraft versions 1.21.0 through 1.21.10.
WeedHack dashboard Source: McAfee
The free tier stealer targets Minecraft session ID theft, cookies, and saved passwords across 36 browsers, 56 cryptocurrency add-ons, 12 desktop cryptocurrency wallet apps, Discord, Steam, and Telegram credentials, and can capture screenshots.
WeedHack also offers a premium tier for $5/month, or a lifetime one-time purchase of $24.99, that adds remote control with input access (mouse and keyboard), webcam access, keylogger, remote shell, and remote file management.
Weedhack attack overview Source: McAfee
The project’s Telegram channel has over 800 members, and McAfee says that many of the clients appear to be teenagers or young adults who use WeedHack’s remote access tools to harass their victims.
Minecraft players should only trust mods from official project sources, verify download links, and treat JAR files hosted on dubious sites with caution.
For those looking to extend their playing experience, the in-game Minecraft Marketplace is the safest option.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
