Threat Research

MCCrash: Cross-platform DDoS botnet targets private Minecraft servers | Microsoft Security Blog

Securonix

MCCrash is a cross‑platform DDoS botnet tracked by Microsoft Threat Intelligence that targets Windows, Linux, and IoT devices to attack private Minecraft servers. It propagates via SSH credential brute‑forcing, downloads multi‑stage components, and issues Minecraft‑focused DDoS commands, with many infected devices located in Russia. #MCCrash #Storm1028 #DEV1028 #Minecraft #SSH #IoT

Keypoints

  • MCCrash is a cross‑platform botnet infecting Windows, Linux, and IoT devices and is used to attack private Minecraft Java servers.
  • Initial infection points include cracking tools that install malware and download/launch a fake svchost.exe via PowerShell.
  • The botnet uses a Python component (malicious.py) and a loader chain (Updater.zip and fuse) to persist and expand on hosts.
  • Propagation relies on enumerating default/weak SSH credentials and performing dictionary attacks to spread to SSH‑enabled devices.
  • Communications with a C2 server at repoARK‑event.net on port 4676 establish encryption (Fernet) and issue a suite of DDoS commands.
  • MC‑specific commands include ATTACK_MCCRASH and various Minecraft protocol attacks; the threat targets a range of Minecraft server versions (1.7.2–1.18.2 most affected).
  • MITRE and defensive guidance focus on hardening endpoints, IoT devices, and Windows/Linux security controls, plus IOC/alerting guidance for Defender/Sentinel users.

MITRE Techniques

  • [T1059.001] PowerShell – Used to download and launch a fake version of svchost.exe through a PowerShell command. ‘downloads and launches a fake version of svchost.exe through a PowerShell command.’
  • [T1059.006] Python – The main Python script contains all the botnet logic. ‘the main Python script that contains all the logic of the botnet.’
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence by adding the registry key SoftwareMicrosoftWindowsCurrentVersionRun with the executable as the value. ‘establish persistency by adding the registry key SoftwareMicrosoftWindowsCurrentVersionRun with the executable as the value.’
  • [T1105] Ingress Tool Transfer – Downloads Updater.zip from repo[.]ark‑event[.]net onto the device. ‘downloads the file Updater.zip from repo[.]ark—event[.]net onto the device.’
  • [T1021.004] SSH – Lateral movement via dictionary attacks to propagate to SSH‑enabled devices. ‘scans the internet for SSH-enabled Linux-based devices (Debian, Ubuntu, CentOS, and IoT workloads such as Raspbian) and launches a dictionary attack to propagate.’
  • [T1071.001] Application Layer Protocol (C2) – C2 channel used to receive commands and exchange data. ‘communicates with its command-and-control (C2) server to launch the following commands.’
  • [T1027] Obfuscated/Compressed Files and Information – Encrypts communications using Fernet after receiving a key. ‘encrypt further communication using the Fernet symmetric algorithm.’

Indicators of Compromise

  • [File Hash] context – e3361727564b14f5ee19c40f4e8714fab847f41d9782b157ea49cc3963514c25 (KMSAuto++.exe), 143614d31bdafc026827e8500bdc254fc1e5d877cb96764bb1bd03afa2de2320 (W10DigitalActivation.exe), and 2 more hashes
  • [Domain] context – repo[.]ark-event[.]net
  • [File Name] context – updater.zip, malicious.py

Read more: https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/