Minecraft Mod Disguises Popular Password Stealer – zEus Stealer

Security researchers at FortiGuard Labs have uncovered a dangerous new trend: hackers are weaponizing Minecraft source packs to distribute a notorious password-stealing malware called zEus. This disguised attack highlights the risks of downloading content from untrusted sources, even seemingly harmless game modifications.

The deceptive dissemination of the zEus stealer is facilitated through YouTube, where attackers share links to malicious Minecraft source packs. These packs, while appearing innocuous, contain a WinRAR self-extracting file that masquerades as a Windows screensaver. Upon execution, this file not only runs the stealer malware but also displays an image featuring the name “zEus,” signaling its malicious intent.

Once activated, zEus stealer launches a series of checks to determine if it is under analysis, avoiding detection by comparing the computer name and running processes against extensive blacklists. If the environment seems safe, it proceeds to harvest a variety of sensitive information from the infected machine.

zEus targets data across multiple dimensions:

• PC Information: Includes IP details, hardware specifics, and network status.
• Browser Data: Extracts cookies, login data, and bookmarks from popular browsers like Chrome, Firefox, and Edge.
• Gaming and Social Media Credentials: Steals login details from platforms such as Steam, Discord, and Roblox.

Beyond data theft, zEus incorporates several alarming functionalities:

• Task Manager Disruption: Deploys debugerkiller.bat to continually terminate Task Manager.
• Surveillance Capabilities: Utilizes Screen.bat to send screenshots to the attackers every five seconds.
• Lockdown and Control: Implements a system lock via SYSTEMLOCK.bat and maintains control through C2 communications with RAT.bat.

To protect against such threats, FortiGuard Labs advises:

• Vigilance in Downloads: Always verify the authenticity of downloadable content, especially from unofficial sources.
• Enable MFA: Multi-factor authentication can provide an additional layer of security, safeguarding against compromised passwords.
• Regular Security Updates: Keep all software and anti-virus programs up to date to defend against known vulnerabilities and attacks.