This is not the usual shit posting I do, this is a legit malware a lot of people are starting to discover. Check this file path-
(C:\Users(username)\AppData\Roaming.minecraft\libraries\net\minecraftforge\injector\forgedefault)
If you have a jar file named injector-forgedefault, you need to do a full fucking system wipe. Sign out of Google, sign out of Discord, wipe everything. And then reset your PC. This is not just a coord logger, this is a full on RAT.
Send this to everyone you know. This is not a joke.
i renamed the file type to zip so i could extract and view the code
This malware has affected over 1840 different people, this is some deep shit.
I have spoken with the developer of RusherHack, John200410. He has deobfuscated the malware and found out the malware grabs these following things:
JUST BECAUSE YOU DON'T HAVE THE INJECTOR FILE YOU ARE NOT SAFE! THIS IS JUST THE MOST AFFECTED FILE PATH AT THE MOMENT. PLEASE CHANGE ALL YOUR PASSWORDS TO BE SAFE!
This shit has gone way to far for a block game.
Pictures of the malware:
gets .jar files in Desktop
grabs session id and other crap
grabs Google Chrome keychains and User Data
steals minecraft accounts
The malware supposedly originated somewhere from Xenon and Xanax client. The main developer of Xenon, java! did not put the backdoor into xenon, instead it was yoink, one of the developers of it.
I'm actually not sure if this client was functional or if 1800 people were really affected by it. What we do know is that Yoink had every intention for it to work and to be used maliciously.
Credits:
java!- informing me the malware even existed
john200410- doing the deobf on the malware and finding out what it does
Crystalinqq- offering a solution that removes the malware, not sure if it works or not but it seems to be able to detect the malware file.
Hopefully something like this doesn't happen again.
(C:\Users(username)\AppData\Roaming.minecraft\libraries\net\minecraftforge\injector\forgedefault)
If you have a jar file named injector-forgedefault, you need to do a full fucking system wipe. Sign out of Google, sign out of Discord, wipe everything. And then reset your PC. This is not just a coord logger, this is a full on RAT.
Send this to everyone you know. This is not a joke.
i renamed the file type to zip so i could extract and view the code
This malware has affected over 1840 different people, this is some deep shit.
I have spoken with the developer of RusherHack, John200410. He has deobfuscated the malware and found out the malware grabs these following things:
- injects itself into forge profile when you run it grabs your ip, operating system name, computer username, and some hwid
- grabs your discord token, discord username, email, if you have 2fa enabled, phone number, if you have nitro, and if you have any linked payment methods
- grabs your minecraft session token, name, and uuid
- grabs all of the mods in your mods folder takes a screenshot of your screen
- grabs the minecraft accounts you have logged into the minecraft launcher
- grabs your chrome login data file
- grabs filezilla servers
- grabs sharex configs grabs your future client login details
- grabs your minecraft accounts from future client manager
- grabs your waypoints from future client
- grabs your waypoints from salhack
- grabs your minecraft accounts from rusherhack manager
- grabs your waypoints from rusherhack
- grabs your minecraft accounts from pyro manager
- grabs some weird server stuff from pyro idek what this is
- grabs your konas files which i assume have waypoints and stuff
- grabs your waypoints from kami blue
- grabs everything from journeymap
- grabs source code from recent intellij projects
- and all of that is being sent to one of 5 discord webhooks
JUST BECAUSE YOU DON'T HAVE THE INJECTOR FILE YOU ARE NOT SAFE! THIS IS JUST THE MOST AFFECTED FILE PATH AT THE MOMENT. PLEASE CHANGE ALL YOUR PASSWORDS TO BE SAFE!
This shit has gone way to far for a block game.
Pictures of the malware:
gets .jar files in Desktop
grabs session id and other crap
grabs Google Chrome keychains and User Data
steals minecraft accounts
The malware supposedly originated somewhere from Xenon and Xanax client. The main developer of Xenon, java! did not put the backdoor into xenon, instead it was yoink, one of the developers of it.
I'm actually not sure if this client was functional or if 1800 people were really affected by it. What we do know is that Yoink had every intention for it to work and to be used maliciously.
Credits:
java!- informing me the malware even existed
john200410- doing the deobf on the malware and finding out what it does
Crystalinqq- offering a solution that removes the malware, not sure if it works or not but it seems to be able to detect the malware file.
Hopefully something like this doesn't happen again.