More fake DSM's with malicious code in them! Please watch out!

5vl commented 2 years ago

https://github.com/skyblocknerd13/Dankers-Skyblock-Mod is fake. I decompiled the jar, and it had an extra class! This is probably some kind of token logger. Please watch out with what you download!

cursefroge commented 2 years ago

yep, if you go to http://breadcat.cc its... something

5vl commented 2 years ago

yep, if you go to http://breadcat.cc its... something

Interesting site.. definitely as a cover-up

cursefroge commented 2 years ago

It also says "I make Minecraft stealers"

3niXboi commented 2 years ago

Hi! I know of one case where this exact mod you referenced lead to stolen credentials and in game items gone. The user has many repositories, different skyblock mods, all open source, all copied, and I am guessing all containing this exact file. I am now going to check the rest of them and submit a detailed report on Github (perhaps it does something). I will also post the text of my report here once it's done, if you (@EnderC00kiez @5vl) and others reading this could report him (https://github.com/skyblocknerd13) just sending a reference to that post even, that would be a huge help!

5vl commented 2 years ago

@3niXboi I didn't look at his other repos, although I'd definitely expect it. Good luck on the report - GH will ban them for sure.

3niXboi commented 2 years ago

I have completed the report, I will post it here in the next message. Please report him for malicious software and send this as a reference. I found traces of obfuscation in 2 of the repositories, one of them being the one you previously found (edited 11 days ago after you made this post). Could be he is watching this thread. Hopefully support gets him banned before he deletes his repos. By the way @5vl he had the same grabber in all of his 10 other repositories, with minor changes and quite pitiful attempts at obfuscation, if any.

3niXboi commented 2 years ago

This user (skyblocknerd13) has multiple repositories containing only compiled files with copied code from other (legit) sources, that are genuine Minecraft mods. He then adds malicious code including a token grabber to get access to the user's Minecraft login credentials. He then uploads only the compiled executable files to his repository. These upon running give the attacker access to their Minecraft account, and I know about one case where this lead to them logging on and ruining a (Hypixel Skyblock) profile.

Here are a few examples:

Danker's Skyblock Mod skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/Dankers-Skyblock-Mod the original repository: https://github.com/bowser0000/SkyblockMod

A github user (@5vl) has decompiled the executable and found an extra class containing the token grabber and opened an issue on the original mod, to warn users: https://github.com/bowser0000/SkyblockMod/issues/121. He has since committed to the repository and changed the file, in an attempt to most likely obfuscate the code. A very similar function still exists in a different file but it's hard to read. It is now in the LootTrackerUtils class.
Skytils skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/Skytils the original repository: https://github.com/Skytils/SkytilsMod

This repository still contains the malicious code in the same file as in the first mod (updater class).
Scrollable Tooltips skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/Scrollable-Tooltips the original repository: https://github.com/Sk1erLLC/ScrollableTooltips

This repository contains the malicious code in a different file (errors class)
Not Enough Updates skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/NotEnoughUpdates the original repository: https://github.com/Moulberry/NotEnoughUpdates

This repository still contains the malicious code in the same file as in the first mod (updater class).
NotEnoughCoins skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/AH-BIN-Sniper-Mod- the original repository: https://github.com/NotEnoughCoins/NotEnoughCoins

This repository contains the malicious code in a different file (errors class)
SkyblockExtras (SBE) skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/SBE-Skyblock-Extras

The original mod in this case is not open source. Therefore the 'mod' only contains the grabber.
Patcher skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/Patcher the original repository: https://github.com/Sk1erLLC/Patcher

This repository still contains the malicious code in the same file as in the first mod (updater class).
Skyblock Addons (SBA) skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/SkyBlockAddons the original repository: https://github.com/BiscuitDevelopment/SkyblockAddons

This repository contains the malicious code in a different file (errors class)
Dungeons Guide skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/Skyblock-Dungeons-Guide the original repository: https://github.com/Dungeons-Guide/Skyblock-Dungeons-Guide

This repository still contains the malicious code in the same file as in the first mod (updater class).
Hypixel Dupe Mod skyblocknerd13's repository (containing malicious code): https://github.com/skyblocknerd13/Hypixel-Skyblock-Dupe-Mod/blob/main/Skyblock-Dupe-Mod-1.2.jar

In this case there is no original mod, the whole code is just the same grabber.

cursefroge commented 2 years ago

Sent a report! Waiting for GH to reply/take action.

3niXboi commented 2 years ago

@EnderC00kiez Thank you! The URL the data was sent to is operated by Cloudflare, meaning we don't know much about who does this other than his province and country. I won't share that here tho, as it might conflict with the community guidelines. Judging by the repository I think a few people have been targeted by this other than this one instance I know of. Hopefully he gets banned and it doesn't happen again!

edit: The first search result on bing if you type in "Dankers skyblock mod" is the malicious one. Hope he gets banned soon!

cursefroge commented 2 years ago

I'm going to report breadcat's website to cloudflare, to hopefully stop the connections for a while, then if we can unmask anything, we can proceed from there.

5vl commented 2 years ago

Thank you for all this info @3niXboi - I'll also report him to GitHub now, and the website to cloudflare and whatever other company/companies is/are involved.

5vl commented 2 years ago

Reported to GitHub & cloudflare, both linking to your comment!

5vl commented 2 years ago

I also found (what I think is) their hosting! In nr 4 (NEU) you can see "egirlpartey.ddns.net", which when I ping it returns an IP of a hosting provider. They also have a nice abuse email address! I'll make sure to send them an email as well.

Edit:

5vl commented 2 years ago

@3niXboi @EnderC00kiez - User is now removed from GitHub!

cursefroge commented 2 years ago

Cloudflare also forwarded a copy of my abuse report to their hosting provider!

Get Outlook for iOShttps://aka.ms/o0ukef

From: 5vl @.> Sent: Thursday, June 30, 2022 6:16:47 AM To: bowser0000/SkyblockMod @.> Cc: Ike Welborn @.>; Mention @.> Subject: Re: [bowser0000/SkyblockMod] More fake DSM's with malicious code in them! Please watch out! (Issue #121)

@3niXboihttps://github.com/3niXboi @EnderC00kiezhttps://github.com/EnderC00kiez - User is now removed from GitHub!

[image]https://user-images.githubusercontent.com/66801986/176653323-979660c3-f1c0-493e-add6-93cbc6466ef2.png

— Reply to this email directly, view it on GitHubhttps://github.com/bowser0000/SkyblockMod/issues/121#issuecomment-1171033636, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AL32RPZEA7EHD7PQWK6MTPLVRVXY7ANCNFSM5YGHG67Q. You are receiving this because you were mentioned.Message ID: @.***>

3niXboi commented 2 years ago

@EnderC00kiez @5vl Thank you so much for everything!