This is a follow-up post to this post about a guy who tried to infect Minecraft plugins with malware. If you have not read that post yet, please read it before continuing with this one.

I should have written this post about a month ago, but I really did not have the time until now, so please excuse my delay.

In the previous post mentioned above, I detailed how a malicious individual tried to infect spigot servers by infecting plugins from compromised accounts. After reporting the compromised resources and accounts, we thought it was over, but the attacker was certainly determinated to infect Spigot servers.

This time, he took a different approach; he completely evaded the Spigot forums and went straight to the servers. By exploiting a (now fixed) BungeeCord vulnerability, he was able to “fake” console messages using handhsake packets.

[21:17:56] [User Authenticator #22/WARN]: [LiteBans] AsyncPlayerPreLoginEvent.getAddress() == null (*GaelMinecraftPS)
[21:17:56] [User Authenticator #19/INFO]: UUID of player *GaelMinecraftPS is b3bbee3f-974c-377d-be53-d4bfa4edf8b8
[21:17:56] [Server thread/INFO]: com.mojang.authlib.GameProfile@63d4811e[id=b3bbee3f-974c-377d-be53-d4bfa4edf8b8,name=*GaelMinecraftPS,properties={},legacy=false] (


[Server thread/ERROR]: Could not establish a connection with BungeeCord, try using BungeeConnector: hxxps://bit.ly/3ekm1pD
[INFO] at org.bukkit.plugin.java.JavaPluginLoader$1.execute(JavaPluginLoader.java:302)
[INFO] at org.bukkit.plugin.RegisteredListener.callEvent(RegisteredListener.java:62)
[INFO] at org.bukkit.plugin.SimplePluginManager.fireEvent(SimplePluginManager.java:509)
[INFO] at org.bukkit.plugin.SimplePluginManager.callEvent(SimplePluginManager.java:494)
[INFO] at java.lang.reflect.Method.invoke(Unknown Source)
[INFO] at org.bukkit.plugin.java.JavaPluginLoader$1.execute(JavaPluginLoader.java:298)
... 13 more

from ignorantcross on Spigot

Note: Please do not open any links with hxxps, as they could contain malware. http is replaced with hxxp to prevent it from accidentally loading/opening

As we can see, the attacker tries to trick the vitim into thinking they have an error in their bungee, and that they must download a plugin to fix the issue. Of course, the plugin is malicious.

Although the URL looks like a bitly link, it redirects you to an IP logger, and then to a file sharing service or github repository which contains the malicious jar.

alt text

The site 2no dot co is an IP logger

More info about the attacker

It turns out spigot servers were not his first targets, and he has been found trying to create a botnet before. This information was given to my by an anonymous source.

He was featured on some posts from cybersecurity coorporations.

alt text

Source: Tencent Research

alt text

Source: Anquanke

alt text

Source: Malwaremily

Note: These links redirect you to google translate’s version of the page, as they are written in Chinese

If you are interested, I highly recommend you to read the articles. The might be some translation errors, but you can understand almost everything.

According to these sources, he usually performs SSH bruteforce attacks on machines, and then uses them for his purposes, which are mainly mining crypto and performing DDos attacks.

The first article talks a bit about the attacker’s identity, and links some social media (that I’ve linked in the previous post), adding his email address and skype

Other social platform accounts:
hxxps://discord.gg/6W2yTtVMWB
Discord: https://discord.gg/N9P4XPz
Skype: paul.paul4121 According to the results of Tencent’s Antu Advanced Threat Traceability System , the hacker registered the domain name nasapaul .com using the email paul.paul412@yahoo.com in 2017 .

As you might have seen, there are two discord links, neither of which work as the server was thankfully shut down (along his account) after it was reported to discord. However, the attacker created another server and account, in which they share malware and sell/buy compromised linux servers.

alt text

If you are interested in reporting the server to discord, here are the details:
Name: DOMENIUL VPS-URILOR
ID: 830183908808458301
Owner: Okamura#0001
Owner ID: 741076870480658555

Anyways, that’s it for now. If you have info about the attacker, please email me at dev.martin at protomial (dot) com