Full Report
A large-scale malware campaign specifically targets Minecraft players with malicious mods and cheats that infect Windows devices with infostealers that steal credentials, authentication tokens, and cryptocurrency wallets. [...]
Analysis Summary
# Tool/Technique: 44 CALIBER (Implied Malware/Infostealer)
## Overview
This refers to the malware utilized by the threat actors known as "Stargazers" in a campaign that used fake Minecraft mods to infect victims and steal sensitive information. The primary purpose of this malware is information theft (infostealing).
## Technical Details
- Type: Malware family (Implied Infostealer)
- Platform: Windows (Inferred from targeting common Windows applications like Chromium, Edge, and FileZilla)
- Capabilities: Stealing credentials from browsers, specific applications (VPNs, wallets), collecting system information, capturing clipboard data, and taking screenshots.
- First Seen: Not explicitly mentioned in the provided text, but associated with a recent campaign by "Stargazers."
## MITRE ATT&CK Mapping
*Note: Based on the observed behaviors (stealing data, system discovery), the following mappings are highly probable for an infostealer of this type:*
- **TA0009 - Collection**
- **T1119 - Automated Collection** (Implied by the automated nature of credential theft)
- **T1115 - Clipboard Data**
- T1115.001 - Clipboard Data: Clipboard Data
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel** (Using Discord webhooks as the channel)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (The malware was observed as "deobfuscated" by researchers)
## Functionality
### Core Capabilities
- Theft of credentials stored in various software:
- Browsers (Chromium, Edge, Firefox)
- Cryptocurrency Wallets (Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, Jaxx)
- VPN clients (ProtonVPN, OpenVPN, NordVPN)
- Applications (Steam, Discord, FileZilla, Telegram)
- Collection of system information.
### Advanced Features
- Capturing screenshots of the victim's desktop.
- Stealing files located in Desktop, Documents, and `%USERPROFILE%/Source`.
- Exfiltrating all stolen data via **Discord webhooks**.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text, as delivery mechanism was fake Minecraft mods]
- Registry Keys: [Not provided in the text]
- Network Indicators: Data exfiltration occurs via Discord webhooks (defanged format is not necessary here as Discord itself is not the C2, but the channel upon which data is posted).
- Behavioral Indicators: Unusual outbound network traffic associated with Discord endpoints, presence of screenshot/clipboard data collection processes.
## Associated Threat Actors
- Stargazers
## Detection Methods
- Signature-based detection: Likely possible once hashes or file characteristics of the dropped payload are known.
- Behavioral detection: Monitoring for processes that attempt to read sensitive data paths (e.g., browser profile directories, wallet folders) or attempt to upload data via Discord API endpoints.
- YARA rules if available: [Not provided in the text]
## Mitigation Strategies
- Prevention measures: Only download Minecraft mods from reputable platforms and verified community portals.
- Hardening recommendations: When testing mods, use a separate "burner" Minecraft account instead of the main one. Scrutinize GitHub repositories for suspicious activity (like low stars/forks or suspicious commits) if prompted to download from there.
## Related Tools/Techniques
- General Infostealers leveraging legitimate communication platforms for C2/exfiltration (e.g., Telegram bots, Pastebin).
- Social engineering techniques utilizing popular gaming communities (like Minecraft) to distribute malware.