This scam began around May 17th. Their first known target was a good friend of mine, a YouTuber known by IGNCustom, with around 30,000 subscribers.
They began by impersonating a LabyMod staff member under the name "Niklas". This fake staff member attempted to get Custom to run a file from their website. Luckily, Custom recognized this attempt, and didn't fall for their fake addon.
A few weeks passed, and I was made aware that another friend of mine, who goes by Static, fell for their scam. He ran an addon from their site, and immediately after, lost access to all of his online accounts.
The attackers then impersonated static and convinced a friend of mine named Stephen to run their malware as well. Although he did run their malware, Stephen was not as hardly affected as Static, who lost $10,000+ in assets, as Stephen didn't have all of his credentials in one place.
Last night, I began analysis of the malware. I noticed a few things, most importantly, that the malware connected to a few URLs. I made notes of the URLs, and continued to analyze the malware. It wasn't obfuscated, so there was no difficulty reading the code.
A more in depth analysis of this malware can be found at https://ljskatt.no/analysis/updater_class/, and https://www.spigotmc.org/threads/infected-resources.567487/.
After understanding how the malware works, preventing it is trivial.
Given that the malware not only has to be downloaded from their fake LabyMod addons site, but also the fact that their malware makes a few connections to their servers, the most obvious approach is to block those connections. But how?
There's countless ways to do this, but the most straightforward method is to block the domains used at the hosts file level, by causing them to redirect locally. This way, no connection can be established with the malware servers, and it is completely non-invasive, which is the direction I chose for this program.
Executing this program is extremely straightforward.
- Go to the "Releases" tab
- Download the latest release (Windows only, for now)
- Run the executable as administrator
For those of you who don't trust random programs, feel free to compile the source code yourself.
If you don't feel comfortable running this program on your PC, you don't currently use Windows, or this program simply doesn't work for you, for whatever reason, this section is for you.
To append these entries to your hosts file on Windows without executing this program, follow the steps below.
- Press the start button, and type in "Notepad"
- Right click it, and select "Run as Administrator"
- In the top left corner, select "File", and then select "Open"
- Navigate to
C:\Windows\System32\drivers\etc, then click the field in the bottom right corner of the window that says "Text Documents (*.txt)" - Select
All Files (*.*) - Select the file called hosts
- Copy and paste the following lines at the end of the file:
127.0.0.1 labymod-addons.net
127.0.0.1 first.throwable.in
127.0.0.1 files.throwable.in
127.0.0.1 t23e7v6uz8idz87ehugwq.skyrage.de
If you're on Linux, the instructions are as follows:
- Open the hosts file with your preferred text editor. For this, I'll be using Nano.
- Execute
sudo nano /etc/hosts - You must use sudo
- Execute
- Copy and paste the following entries into it
127.0.0.1 labymod-addons.net
127.0.0.1 first.throwable.in
127.0.0.1 files.throwable.in
127.0.0.1 t23e7v6uz8idz87ehugwq.skyrage.de
- Save the file and exit
That's all! Your PC will now redirect all connections to these malware sites locally.
This program prevents against the malware in its current state, as of June 5th, 2023. If the authors of this malware find a workaround, there's not much I can do, except for update the program.
If you run their malware, and they've updated it so that it's no longer prevented by this program, I'm not responsible in any way.
I'll do my best to keep this up to date, but I can't make any guarantees.