Merge pull request #1 from fractureiser-investigation/main

Update commits

.github/CONTRIBUTING.md

@@ -0,0 +1,15 @@
+Thank you for your interest in helping with documenting the Fractureiser malware outbreak.
+
+Please keep the following things in mind:
+- Pull requests that perform bulk reformatting, automated or otherwise, **will be rejected**. This is because reformatting creates unwieldy diffs that result in cascading merge conflicts. Please just enable word-wrapping in your editor.
+- Pull requests to add translations are very welcome; more languages makes it easier for non-English speakers to learn about the outbreak. Please see [#79](https://github.com/fractureiser-investigation/fractureiser/issues/79) for general discussion the translation community has had about how translations should be implemented. Our team primarily speaks English, and are not knowledgeable in translation, so we've delegated this to the community to ensure we wind up with a reasonable implementation.
+- Many forms of "strange" formatting in this repo are wholly intentional, and PRs attempting to "correct" them will be rejected. A non-exhaustive list:
+  - We refer to Fractureiser stages as e.g. "Stage0" — always capitalized and with no space.
+  - "Fractureiser" is indeed not well-formed English; it should be "fracturizer" or "fracturiser", depending on dialect. It's kept as-is from the CurseForge account that spread the first samples we learned of.
+- We do, however, welcome non-controversial formatting/grammar fixups. A lot of the documentation was written in a hurry and it's got various mistakes we've not caught.
+  - This is not carte blanche to run automated grammar/spelling tools on the repo, such as Grammarly — the unguided output from these has a very obvious and poor style which we will reject on sight.
+- The Discord guild is not official, and attempts to add links and references to it will be rejected. The mitigation team meets on IRC.
+- Please tread carefully when attempting to add new guidance, as we've been pretty careful about how we're presenting the situation and how people should respond. We don't want to encourage people to be reckless when what's at stake is considered.
+- ***Do not ask for samples***. If you have experience and credentials, that's great, but we have no way to verify this without using up tons of our team's limited time. Sharing malware samples is dangerous, even among people who know what they're doing.
+- **Do not witchhunt, or encourage witchhunting, the author.** Online witchhunts do not go anywhere productive, and our focus is on the effects this has had on the community and how we can prevent it in the future.
+- Any mention of blockchain or AI technology as a "solution" to future outbreaks is an instant ban.

README.md

@@ -1,50 +1,51 @@
 <p align="center">
-    <img src="docs/media/logo.svg" alt="Logo">
+	<img src="docs/media/logo.svg" alt="fractureiser logo" height="240">
 </p>
 
 *Pardon our dust, documentation still in progress*
 
+[简体中文版本见此](./lang/zh-CN/)
+
 ## What?
-`fractureiser` is a [Virus](https://en.wikipedia.org/wiki/Computer_virus) found in several Minecraft projects uploaded to CurseForge and CraftBukkit's dev website. The malware is embedded in multiple mods, some of which were added to highly popular modpacks. The Malware is only known to target Windows and Linux Systems.
+`fractureiser` is a [virus](https://en.wikipedia.org/wiki/Computer_virus) found in several Minecraft projects uploaded to CurseForge and BukkitDev. The malware is embedded in multiple mods, some of which were added to highly popular modpacks. The malware is only known to target Windows and Linux.
 
 If left unchecked, fractureiser can be **INCREDIBLY DANGEROUS** to your machine. Please read through this document for the info you need to keep yourself safe.
 
-We've dubbed this malware `fractureiser` because that's the name of the CurseForge account that uploaded the most notable malicious files.  
+We've dubbed this malware fractureiser because that's the name of the CurseForge account that uploaded the most notable malicious files.  
 
 ## What YOU need to know
 
 ### [Modded Players CLICK HERE](docs/users.md)
 
-If you're simply a mod player and not a developer, the above link is all you need. It contains surface level information of the malware's effects, steps to check if you have it and how to remove it, and a FAQ.
+If you're simply a mod player and not a developer, the above link is all you need. It contains surface level information of the malware's effects, steps to check if you have it and how to remove it, and an FAQ.
 
 Anyone who wishes to dig deeper may also look at
 * [Event Timeline](docs/timeline.md)
 * [Technical Breakdown](docs/tech.md)
 
-### I have never used any minecraft mods
-
+### I have never used any Minecraft mods
 You are not infected.
 
 ## Current Investigation Status
 We have a good idea how fractureiser works, from Stages 0 to 3. There are certain
 unknowns, but the attack servers are offline and to our knowledge, *new* infections are
 not possible. Old infections may still be active.
 
-We are currently working on refining user-facing documentation, please check there for
-resources.
+User-facing documentation is more or less finished. We're working with community members to get it translated into other languages to further spread awareness.
 
-## Follow up Meeting
+## Follow-Up Meeting
 On 2023-06-08 the fractureiser Mitigation Team held a meeting with notable members of the community to discuss preventive measures and solutions for future problems of this scale.
 See [this page](https://github.com/fractureiser-investigation/fractureiser/blob/main/docs/2023-06-08-meeting.md) for the agenda and minutes of the event.
 
 ## Additional Info
 
-If you have files relevant to this malware, please upload them to https://wormhole.app and email the URL to fractureiser.investigation@opayq.com — this inbox is controlled by unascribed, and anything sent to it will be shared with the rest of the team. If you need to get in touch more generally, please send mail to [email protected].
+If you have files relevant to this malware, please upload them to https://wormhole.app and email the URL to fractureiser@unascribed.com — anything sent to it will be shared with the rest of the team. If you need to get in touch more generally, please send mail to [email protected].
 
 If you copy portions of this document elsewhere, *please* put a prominent link back to this [GitHub Repository](https://github.com/fractureiser-investigation/fractureiser) somewhere near the top so that people can read the latest updates and get in contact.
 
-The **only** official public channel you may join without being personally invited that's *run by the same team that wrote this writeup* is [#cfmalware on EsperNet IRC](https://webchat.esper.net/?channels=cfmalware).
-**Joining an IRC channel will expose your IP address.**
+The **only** official public channel you may join without being personally invited that's *run by the same team that wrote this writeup* is [#cfmalware on EsperNet IRC](https://webchat.esper.net/?channels=cfmalware). **Joining an IRC channel will expose your IP address.**
+
+**Do not ask for samples.** If you have experience and credentials, that's great, but we have no way to verify this without using up tons of our team's limited time. Sharing malware samples is dangerous, even among people who know what they're doing.
 
 ---
 

docs/2023-06-08-meeting.md

@@ -6,6 +6,10 @@ In the interest of keeping the meeting productive, we invited a narrow set of me
 from the community, mostly people working on mod repositories, and people who helped
 organize the incident response.
 
+## Recordings
+
+The meeting has been recorded and edited to include speaking identifiers. You can watch the recording on [YouTube](https://www.youtube.com/watch?v=L52Hu334Q90) or [PeerTube](https://tube.sleeping.town/w/c48e7df1-cf9b-43d2-84a8-4bce404ee836).
+
 ## Time
 
 2023-06-08 16:00 UTC

docs/credits.md

@@ -1,9 +1,9 @@
 ## Credits
-Nonextensive! Thank you to all that pitched in. We'll flesh this out after this all blows over.
+Nonexhaustive! Thank you to all that pitched in.
 
-[**Emi**](https://github.com/emilyploszaj/): Coordination, initial discovery (for this team), and early research  
-[**Jasmine**](https://github.com/jaskarth/): Coordination, writing the decompiler we've been using ([Quiltflower](https://github.com/QuiltMC/quiltflower/))  
-[**unascribed**](https://github.com/unascribed/): Coordination of documentation, crowd control
+[**Emi**](https://github.com/emilyploszaj/): Coordination, initial discovery (for this team), early research, meeting organization  
+[**Jasmine**](https://github.com/jaskarth/): Coordination, research, writing the decompiler we've been using ([Quiltflower](https://github.com/QuiltMC/quiltflower/))  
+[**unascribed**](https://github.com/unascribed/): Coordination of documentation, crowd control, logo  
 [**williewillus**](https://github.com/williewillus/): Coordination, journalist  
 [**Vazkii**](https://github.com/vazkii/): Documentation, public communications  
 [**Col-E**](https://github.com/Col-E/): Reverse engineering, writing the deobfuscator we've been using ([Recaf](https://www.coley.software/Recaf/))  
@@ -12,4 +12,4 @@ Nonextensive! Thank you to all that pitched in. We'll flesh this out after this
 [**aurelium**](https://github.com/autumnaurelium/): Coordination, deobfuscation  
 [**D3SL**](https://github.com/D3SL/): Extensive reverse engineering, early discovery learned of later  
 [**Luna Pixel Studios**](https://lunapixelstudios.github.io/): Quick detection of unauthorized uploads  
-**Nia**: Extensive Stage 3 reverse engineering  
+**Nia**: Extensive Stage 3 reverse engineering  

docs/tech.md

@@ -12,12 +12,12 @@ mods, as it was an interesting new upload.
 ### Known affected mods & plugins
 
 Note: This list is **non-comprehensive**. It was constructed in the early days of
-investigation and quickly we realized the scope of this was much larger than we though,
+investigation and quickly we realized the scope of this was much larger than we thought,
 making tracking of individual cases pointless. It's left here for historical purposes.
 
 See also CurseForge's
 [list](https://support.curseforge.com/en/support/solutions/articles/9000228509-june-2023-infected-mods-detection-tool/)
-of affected projects
+of affected projects.
 
 |mod/plugin|link(s)|SHA1|"Uploader"|
 |---|---|---|---|
@@ -199,7 +199,7 @@ Thus, if a user copies a file and goes to paste it elsewhere they will instead p
 
 ### Data theft
 
-**MSA Tokens**: Since this mod is targeting Minecraft mods, its only natural to attempt to steal the MSA token used to login to Minecraft with. Some launchers keep this data in a local file, which this malware will attempt to read from. This affects a variety of launchers such as:
+**MSA Tokens**: Since this mod is targeting Minecraft mods, it's only natural to attempt to steal the MSA token used to login to Minecraft with. Some launchers keep this data in a local file, which this malware will attempt to read from. This affects a variety of launchers such as:
 
 * The vanilla/mojang launcher
 * The legacy vanilla/mojang launcher
@@ -227,7 +227,7 @@ The change from this strategy to the vanilla launchers is that the Json has an a
 
 The change from this strategy to technic is that technic stores credentials using Java's built-in object serialization, wrapping the `com.google.api.client.auth.oauth2.StoredCredential` type.
 
-**Discord tokens**: Everyone's seen a token-stealer before. Affects the standard client, canary, ptb, and lightcord clients.
+**Discord tokens**: Everyone's seen a token-stealer before. Steals token and extra information such as payment methods, linked phone number, etc. Affects the standard client, canary, ptb, and lightcord clients. Relevant source: [`dev/neko/nekoclient/api/stealer/discord/DiscordAccount.java`](https://github.com/clrxbl/NekoClient/blob/fd76c5f9d40d1e10de11f00a6b4e0cca3d6221a3/dev/neko/nekoclient/api/stealer/discord/DiscordAccount.java)
 
 **Cookies & Saved credentials**: Steals saved cookies and login credentials saved in affected browsers.  Relevant source: [`dev/neko/nekoclient/api/stealer/browser/impl/BrowserDataStealer.java`](https://github.com/clrxbl/NekoClient/blob/main/dev/neko/nekoclient/api/stealer/browser/impl/BrowserDataStealer.java)
 

docs/timeline.md

@@ -2,6 +2,11 @@
 
 The timeline is from bottom-to-top. Topmost events are the most recent.
 
+---
+*2023-06-09 07:48 UTC*
+
+Creators of Stage3b (skyrage) have apparently lost their domain skyrage.de (nameserver and registrar entries changed, dns entries vanished)
+
 ---
 *2023-06-08 10:50 UTC*
 

lang/zh-CN/README.md

@@ -0,0 +1,57 @@
+<p align="center">
+    <img src="../../docs/media/logo.svg" alt="Logo">
+</p>
+
+*施工现场，如有疏漏，还请海涵*
+
+译者注：本文为译文，仅为扩散正确信息、方便不熟悉英语的读者而提供。
+本文将尽最大努力保持与上游内容同步，但考虑到上游更新速度极快，仍可能有部分内容过期，还请海涵。鉴于此，请务必时刻参考原文获取最新信息！
+如译文与原文冲突，请以原文为准。传播时，请无论如何都要传播原文地址。
+
+Last updated at Jun 9th, 2023  
+最后更新于二〇二三年六月九日
+
+## 这是什么？
+`fractureiser` 是在 CurseForge 及 CraftBukkit 网站上发现的[计算机病毒](https://zh.wikipedia.org/wiki/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%97%85%E6%AF%92)。这种病毒，或者说恶意软件，内嵌在了数个模组（Mod）中，这其中有一部分模组还进入了热门整合包中。目前该恶意软件已知仅针对 Windows 和 Linux 两大类操作系统。
+
+若不加以处置，fractureiser 将会对你的设备构成**极为严重的安全威胁**。请阅读整个文档以了解如何在当下保证安全。
+
+我们将该病毒/恶意软件称为 `fractureiser`。这个名字是某个 CurseForge 账号的用户名，而该账号的持有者正是最明显的含该恶意软件文件的上传者。 
+
+## **你**需要知道的事项
+
+### [模组玩家**点这里**](docs/users.md)
+
+如果你只是普通模组玩家，不是开发者，那么你只需要阅读上面的这个链接中的内容。这其中包括了该恶意软件危害的简明描述、协助你排查是否受感染的教程、以及一份常见问题解答。
+
+如果你学有余力，想进一步了解细节，可浏览下列内容：
+
+* [事件时间线](docs/timeline.md)
+* [技术分析](docs/tech.md)
+
+### 我从未使用过任何 Minecraft 模组
+
+你没有感染。
+
+## 目前调查进展
+
+我们目前已经对 fractureiser 从「阶段 0」到「阶段 3」的工作流程有了充分了解。虽然仍然有一些细节没有查明，但根据我们所掌握的情况，攻击者的服务器已下线，**新感染**已不可能，但已感染的设备仍会受影响。
+
+我们正在改进针对普通用户的文档，请查阅相关文档了解更多信息。
+
+2023 年 6 月 8 日，Fractureiser Mitigation Team 召集了一场社区会议，与会成员均为社区知名成员，会议讨论了同类事件的预防措施，及在未来彻底解决此类问题的方案。这次会议的议程及会议纪要可在[此页](docs/2023-06-08-meeting.md)找到。
+
+## 其他信息
+
+如果你持有该恶意软件的样本，请上传至 https://wormhole.app 然后将文件地址通过电邮发送到这个邮箱地址：`[email protected]`。该邮箱由 unascribed 控制，所有收到的样本将会分享给其他团队成员。若你需要就其他事项联系，请向 `[email protected]` 发电邮咨询。
+
+如果你把本文档部分复制、转载到了别处，**请务必**在开头或其他位置显著标明[本 GitHub 仓库的链接](https://github.com/fractureiser-investigation/fractureiser)，这样其他人可以在第一时间内了解事态的最新进展。
+
+我们**只有一个**__由本文档撰写者原班人马维护__，可以无需邀请即可加入的聊天频道：[EsperNet 上的 IRC 频道 #cfmalware](https://webchat.esper.net/?channels=cfmalware)。
+**注意：加入 IRC 频道会暴露你的 IP 地址。**
+
+IRC 聊天日志：待补全
+
+---
+
+\- [fractureiser Mitigation Team](docs/credits.md)