Fake Minecraft Installer Spreads NjRat Spyware to Steal Data

Fake Minecraft clone Eaglercraft 1.12 Offline spreads NjRat spyware stealing passwords, spying via webcam and microphone, warns Point Wild security team.

Point Wild’s Lat61 Threat Intelligence Team has uncovered a new cyber threat targeting fans of the popular game Minecraft. Malware disguised as a Minecraft installer is infecting computers, allowing hackers to steal personal data.

This research provided to Hackread.com by Point Wild should not come as a surprise, as in 2021, Minecraft was already declared the most malware-infected game ever.

As for the ongoing threat, the malware is hidden inside an unofficial browser-based Minecraft clone called Eaglercraft 1.12 Offline, which is often used in schools and other restricted environments. As millions of gamers, including kids and casual players, download Minecraft-related content during a recent surge of excitement, they are unknowingly putting their computers at risk.

The research reveals that the fake game installer bundles a dangerous type of Remote Access Trojan (RAT) called NjRat, which has been used by cybercriminals for years to take full control of infected devices.

This malware can perform several harmful activities without the user’s knowledge. It uses a keylogger to capture every keystroke, allowing it to steal usernames, passwords, and other sensitive information. It can also spy on users by gaining unauthorized access to a computer’s webcam and microphone, enabling attackers to secretly watch and listen.

Additionally, it creates a backdoor by adding a hidden program called WindowsServices.exe to the computer’s start-up files, ensuring it runs each time the system is turned on. To protect itself, the malware is programmed to crash the system with a Blue Screen of Death if it detects security tools like Wireshark, making it harder for experts to analyse.

“While the game ran as a distraction on the surface, a hidden process named WindowsServices.exe was silently executed in the background. This process is not a legitimate Windows component and was likely deployed to masquerade as a system process in order to avoid suspicion. Further inspection revealed it spawned additional child processes, specifically cmd.exe, followed by conhost.exe commonly used by malware for command-line execution and payload handling.”

Nihanshu Katkar – Lat61 Threat Intelligence Team

According to Point Wild’s research, the attack starts with a malicious file disguised as a Minecraft installer. When a user runs it, the computer silently drops several files, including the key malicious program, and distracts the user by opening a browser window to the fake Minecraft game. While the game plays, the hidden program runs in the background.

The diagram below illustrates how the malware silently drops files, creates a new entry in the computer’s startup files to make sure it always runs, and then connects to a remote server. This server, hosted in India on Amazon’s cloud, is used by the attackers to control the infected computer and steal data.

Dr. Zulfikar Ramzan, CTO of Point Wild and leader of the Lat61 Threat Intelligence team, warns that “Threat actors are exploiting the popularity of Minecraft mods to spread powerful spyware. What looks like a harmless game is actually turned into a tool for spying and data theft.”

Therefore, if you play Minecraft, make sure it is downloaded through the official store, and be cautious when buying skins and mods by ensuring every purchase is through the official store. Downloading third-party apps will only put your device at further risk.