(As of June 7, 2023 1:38 PM UTC, this is basically a final report. I will date any major future edits to this document.)
(Update June 7, 2:17 PM UTC - Click here if you're having lag issues. I want to put this up preemptively.)
Nia's notes on her reverse engineering of client.jar
. Expect this to be a little messy.
The client.jar
this reverse engineering is based off has the following SHA256 hash: 507cd3f6b701dbdbba86b1cb9bf3ac2e80b8176d60e116970c372caeb7e39eba
.
The initial file I worked with is a version with the string obfusciation removed produced by aurelium. It has the SHA256 hash: 2687b5e46d061e79952f10e96651fe9955d6b4aebad399a01b73d0b9fd31fd01
. I haven't verified it corresponds fully to client.jar, but I see no reason this person wouldn't be working with us.
Please ask someone else if you want these files.
A copy of the decompiled/deobfuscated source code can be found here. For safety purposes, this version of the source code contains no binaries and will not compile. It is only good enough for analysis of the malware. This link will expire at June 14, 2023 1:31 PM UTC.
UPDATE - June 7, 2:39 PM UTC: A new version of the stage3 has been found with hash 611267eb6049f8450021da5dd4b38bebdbd04e9091be090ab10f152732d94bab
. It is not obfuscated. It seems mostly identical to this version, except the crypto address interception code has been disabled and it can properly steal credentials from Mozilla-based browsers due to the issues caused by obfuscation being fixed.
UPDATE - June 7, 3:18 PM UTC: A decompiled version of the client.jar
previously mentioned has been posted publically on Github. The information in this document remains accurate, and is being updated to note the names of files in the actual original code.
UPDATE - June 7, 3:39 PM UTC: Finished updating deobfed names into the document.
UPDATE - June 8, 4:06 AM UTC: I seem to have misread the spreading code somewhat. The code will try to infect the main class of any .jar that isn't detected as a Minecraft mod.
client.jar
seems to mostly target Windows - a lot of stuff just doesn't work on Linux or MacOS. It will still run, but most of the payloads to steal data only has code implemented for working on Windows. You aren't safe, still, as it still has functionality that can run arbitary code.client.jar
file itself..jar
is a viable candidate for infection. If any of these conditions are met, it proceeds to the next step:
net/minecraft/client/main/Main
. The net/minecraft/client/gui/GuiMultiplayer
class will be infected as well, but that class alone alone isn't enough to cause it to attempt an infection.net/minecraftforge/fml/common/Mod
net/fabricmc/api/ModInitializer
.net/md_5/bungee/api/plugin/Plugin
.org/bukkit/plugin/java/JavaPlugin
.META-INF/CERTIFIC.RSA
, META-INF/CERTIFIC.EC
, META-INF/CERT.SF
and META-INF/CERTIFIC.SF
are excluded from the jar file. effectively disabling code signing.META-INF/MANIFEST.MF
is cleared using manifest.getEntries().clear()
. I'm not clear on what exactly this does, considering that the manifest files generated are not empty.<clinit>
method:
_c3b73e691d7f40f1b47d800b0dc8238d
). This method's body is the same as the body of the method in dev.neko.nekoinjector.Loader
in the client.jar
file.invokestatic
instruction that calls the new function is inserted at the beginning of the <clinit>
method.<clinit>
method, then instead the new function is directly created at <clinit>
..jar
file is modified to match the old one.(references: the class dev.neko.nekoclient.c
and the package dev.neko.e
)
(deobf: class dev.neko.nekoclient.Client
and package dev.neko.nekoinjector
)
dev.neko.nekoclient.o.e.*
)dev.neko.nekoclient.q.e.e.j
/ deobf: dev.neko.nekoclient.packet.listener.impl.DDoSPacketListener
)dev.neko.nekoclient.q.e.e.h
/ deobf: dev.neko.nekoclient.packet.listener.impl.CommandPacketListener
)dev.neko.nekoclient.q.e.e.m
/ deobf: dev.neko.nekoclient.packet.listener.impl.ProxyPacketListener
)dev.neko.nekoclient.e.m
/ deobf: dev.neko.nekoclient.utils.HardwareIDUtil
):
dev.neko.nekoclient.api.e.y.*
/ deobf: dev.neko.nekoclient.api.stealer.msa.*
):
dev.neko.nekoclient.api.e.y.*
/ deobf: dev.neko.nekoclient.api.stealer.msa.*
):
dev.neko.nekoclient.api.e.q.*
/ deobf: dev.neko.nekoclient.api.stealer.discord.*
)https://discord.com/api/v9/users/@me/billing/payment-sources
. I'm not sure what can be retrieved from here. (dev.neko.nekoclient.q.e.e.i
/ deobf: dev.neko.nekoclient.packet.listener.impl.RequestDiscordPacketListener
)dev.neko.nekoclient.api.e.e.*
/ deobf: dev.neko.nekoclient.api.stealer.browser.*
):
dev.neko.nekoclient.q.e.e.A
/ deobf: dev.neko.nekoclient.packet.listener.impl.RequestExodusPacketListener
)WDAGUtilityAccount
, and claims it's "escaping" a sandbox. No idea if it works or what it's achieving.
bc1q75kyl5s9l8kmtuhspkr7e8cen9r5dx78fxfe8h
LQzR1f6b3ztnSqxGZs1wtXnkwin4MeBfPc
0x31683c675a3677E226496CC3F4E028c8577d30FA
rGGzBfSXy7C8Wcg3HE4ff7rchzTfoamZy3
49GsAVEgVt72YA59Ns5gvp2w6yq8GiV9dcHawwt6GEEjK3AxPaQie5TUvLyGULSixg44fiu8RnBcUQ6bENATixZYLXVbLq8
qrp6alx43p0y59j7nd8cql24twk2hdk6hy4ecsv32h
DSL7DgnebZ6D5qssKKWfG5VV2PeMd7qZQw
.jar
with the string obfuscation stripped, thanks to aurelium.-rbr=false -rsy=false -udv=false -lac=true
. Most important of these flags are the ones to not ignore synthetic methods - the obfuscator seems to have marked methods/fields as synthetic to hide them from the output of most decompilers.hook.dll
, I can confirm NotNite's analysis of it:
Java_dev_neko_nekoclient_api_windows_WindowsHook_retrieveClipboardFiles
that is used to download data relating to the clipboard. This does not seem to be used to send to the server, but only as part of the Windows Sandbox escape code?Java_dev_neko_nekoclient_api_windows_WindowsHook_retrieveMSACredentials
that is used to retreive Microsoft Live credentials. This only seems to be used to log into Minecraft, and is not directly delivered to the command&control server, strangely, at least in the version I have.I wrote these notes while I was reverse engineering the malware and cleaned them up after. These are probably still messy.
dev.neko.nekoclient.packet
)
client.jar
and the command & control server. Notable classes are:
dev.neko.nekoclient.packet.Packet
) - encodes/decodes the data sent to/from the serverdev.neko.nekoclient.packet.listener.PacketListener
) - handles setting up the instance of dev.neko.nekoclient.q.C
for actually sending data to the server. Sometimes the stealing/encoding is here, sometimes it's in the other class. Can't tell why exactly yet. Code pattern implies this has a <T>
type parameter corresponding to the associated PacketType
.dev.neko.nekoclient.packet.impl.NoncePacket
) - seems to be a root class that all packets send to/from the server implement. Implements PacketType
.dev.neko.nekoclient.packet.impl
)
dev.neko.nekoclient.packet.listener.impl
)
dev.neko.nekoclient.packet.listener.impl.CommandPacketListener
) - Runs an arbitrary shell command on the system. Wee.dev.neko.nekoclient.packet.listener.impl.DDoSPacketListener
) - Apparently this bot has a button for making a DDOS!! Lovely. :D D:dev.neko.nekoclient.packet.listener.impl.DisconnectPacketListener
) - Seems to make the client disconnect.dev.neko.nekoclient.packet.listener.impl.HelloPacketListener
) - Sends metadata relating to the user operating system, basic user information, and the version of the client.dev.neko.nekoclient.packet.listener.impl.ProxyPacketListener
) - Allows the server to tell a client to send data to a remote server. Haven't looked too closely at the details.dev.neko.nekoclient.packet.listener.impl.RequestBrowserDataPacketListener
) - Handles extracting browser cookies and logins.dev.neko.nekoclient.packet.listener.impl.RequestDiscordPacketListener
) - Handles extracting Discord login information.dev.neko.nekoclient.packet.listener.impl.RequestExodusPacketListener
) - Handles extracting information from the Exodus wallet client.dev.neko.nekoclient.packet.listener.impl.RequestMSAPacketListener
) - Handles extracting Minecraft login information.dev.neko.nekoclient.packet.listener.impl.UpdateModulePacketListener
) - Sets whether a module is enabled or not. Of note, the only module that seems to exist is the one for cryptocurrency hijacking on the clipboard.dev.neko.nekoclient.api.info
)
Client
.dev.neko.nekoclient.api.windows.vmescape
)
dev.neko.nekoclient.api.stealer.discord
)
dev.neko.nekoclient.api.stealer.browser
)
dev.neko.nekoclient.api.stealer.browser.impl.BrowserDataStealer
) - main class for extracting browser infodev.neko.nekoclient.api.stealer.browser.BrowserData
) - stores all login datadev.neko.nekoclient.api.stealer.browser.impl.credential.Credential
) - stores login informationdev.neko.nekoclient.api.stealer.browser.cookie.Cookie
) - stores cookie informationdev.neko.nekoclient.api.stealer.browser.impl.decrypt.chrome.ChromeDecryptor
) - handles decrypting chrome secret informationdev.neko.nekoclient.api.stealer.browser.impl.decrypt.mozilla
)
Library
definitions for the methods actually found in nss3. As a result, decrypting user passwords for Firefox-based browsers is broken, at least in the version I have a sample of.dev.neko.nekoclient.api.stealer.msa
)
dev.neko.nekoclient.api.stealer.msa.auth.ClientType
) - appears to store different API keys that may be used to log into Minecraft withdev.neko.nekoclient.api.stealer.msa.auth.credentials.MinecraftCredentials
) - stores minecraft login tokensdev.neko.nekoclient.api.stealer.msa.impl.MSAStealer.RefreshToken
) - seems to be the root class for storing Minecraft loginsdev.neko.nekoclient.api.stealer.msa.impl.MSAStealer
) - actually does the stealing of credentialsdev.neko.nekoinjector
)