Malicious plugin “Noobdoor”: Threat Analysis and naked Mole-Rat infestation

Security
by facha :

In the vast and dynamic realm of Minecraft, where creativity knows no bounds, plugins serve as the backbone of innovation, enabling server owners to enhance gameplay and offer unique experiences to players. However, amidst the plethora of plugins, lies a lurking danger – vulnerabilities that can compromise server integrity and player data. In this exposé, we delve into the intricacies of a seemingly innocuous Minecraft plugin, uncovering its capabilities, pitfalls, and the potential risks it poses to server security.

Noobdoor is a Minecraft plugin designed to provide a wide range of backdoor functionalities within the game. It offers various commands and capabilities that allow users to manipulate the game environment, access system information, execute commands on the host machine’s backend, establish remote console access, and perform remote backups. However, it’s worth noting that while the plugin is feature-rich, it exhibits concerning behaviors and lacks sophistication, as evidenced by hardcoded API requests and other amateurish scripting-kid practices.

Features we identified:

  1. Basic Backdoor Commands:
    • forcelogin [player]: Forcefully log in a player (for backdoor control).
    • forcelogout [player]: Forcefully log out a player (for backdoor control).
  2. Advanced Backdoor Commands:
    • clearlogs: Clear all logs.
    • delplugin [plugin]: Delete a plugin.
    • delserver: Delete the server (only saves infected plugin).
    • downloadserver: Uploads the server to a remote server.
    • install [link]: Install a plugin from a link (ending in .jar).
    • setpass [password]: Set a password for the server.
    • liveshare: Remote console.
  3. Exploitative Commands:
    • banall: Ban everyone.
    • cmdsetup: Setup random command blocks.
    • deldata: Delete all plugin data.
    • errorban [player]: Error ban a player.
    • errorbanall: Error ban everyone.
    • mineinfo: Attempt to steal Minehut account using threatening message.
    • Nickall [nickname]: Nickname all players.
    • SudoAll: Sudo all players.
  4. Administrative Commands:
    • console [command]: Execute a command in the console.
    • consoleshow: Share the console.
    • disablesk: Disable all Skripts.
    • dupe [amount]: Duplicate an item.
    • echest [player]: View a player’s Ender Chest.
    • enablesk: Enable all Skripts.
    • errorkick [player]: Error kick somebody.
    • errorkickall: Error kick everyone.
    • fly: Enable flying.
    • freeze [player]: Freeze a player.
    • gmall: Set everyone into gamemode survival.
    • invsee [player]: View a player’s inventory.
    • leakips: Leak everyone’s IP addresses.
    • motdset: Set the MOTD.
    • resetpd: Reset all player data.
    • scrapetoken: Scrape DiscordSRV token and config file.
    • seed: Get the world seed.
    • skill: Spam kill someone.
    • skillstop: Stop spam killing everyone.
    • spamconsole: Spam the console.
    • spy: Spy on players’ commands.
    • sstrike: Spam strike someone.
    • sudo: Sudo someone.
    • tp [to player] [tp player]: Teleport a player.
  5. Event Handling:
    • OnJoinWhenBanned: Unbans you if you’re banned when joining.
    • AntiSudo: Prevent others from sudoing you.
    • AntiDeop: Prevent others from deoping you.
    • AntiKickBan: Avoid getting kicked or banned.
  6. System Information Extraction:
    • Displaying system information such as operating system, Java version, available processors, system load average, memory usage, network interfaces, hostname, disk space, system uptime, timezone, architecture, locale, etc.
    • Executing system commands to retrieve additional information such as GPU details, system processes, BIOS information, CPU information, memory information, and power management information.

IOCs (Indicators of Compromise):

  • DNS, HTTP, or HTTPS requests to the domain “noobdoor[.]wtf.”
  • DNS, HTTP, or HTTPS requests to the domain “noobdoorrr[.]000webhostapp[.]com.”
  • Any console line mentioning “NoobDoor” may indicate potential security threats.
  • A spam of the letter “e” upon server start could signify underlying security vulnerabilities.
  • Presence of a plugin with the name containing “NoobDoor”

Unveiling the Script Kiddie

Upon scrutinizing the plugin’s code, it became abundantly clear that its creator was nothing more than a script kiddie, masquerading as a skilled developer. The laughable attempt at obfuscation left gaping holes in the plugin’s security, allowing us to dissect its inner workings with ease. His blatant disregard for basic security practices was evident in the hardcoded endpoints pointing to “localhost,” a rookie mistake that even a novice coder wouldn’t make. Furthermore, his incompetence was further highlighted by the inclusion of an expired domain, rendering several features dysfunctional. The lack of effort in obfuscating the code only served to fuel our amusement as we uncovered one flaw after another. To add insult to injury, his failure to mask his tracks led us straight to his doorstep in Midleton, Munster, Ireland. It was almost comical how he thought he could get away with it using his regular internet connection. And oh, the cherry on top – leaving an open endpoint for file uploading on his C2 server. Needless to say, we couldn’t resist having a little fun with it.

Disruption Efforts Against the Threat Actor

In response to the nefarious activities orchestrated by the threat actor, our team swiftly executed several strategic maneuvers to disrupt their operations and mitigate potential harm to our users and the wider online community. First and foremost, we implemented stringent network-level controls to block all incoming and outgoing connections to the command-and-control (C2) servers associated with the malicious plugin. By severing the link between the malware and its central infrastructure, we effectively neutralized its ability to execute commands and exfiltrate data.

Simultaneously, we proactively engaged with the hosting provider responsible for hosting the C2 server(000webhost/hostinger), promptly reporting the illicit activities taking place on their platform. This proactive measure aimed to enlist their support in swiftly terminating the malicious server and preventing further harm. Furthermore, recognizing the threat actor’s reliance on their internet service provider for connectivity, as no VPN was used, we lodged formal complaints with EIRCOM, the ISP identified through our investigative efforts.

Taking a multifaceted approach to dismantle the threat actor’s infrastructure, we also targeted the communication channels utilized for coordinating malicious activities. We reported the discord server, which served as a hub for disseminating malware and coordinating attacks, to Discord’s Trust and Safety team. Subsequently, we identified and reported the threat actor’s individual discord account, leveraging insights gleaned from the malware code and associated server.

In a bid to empower the wider cybersecurity community and facilitate deeper analysis of the malicious plugin, we will make the malware source code readily accessible for download. This transparent approach not only fosters collaborative efforts in dissecting and understanding the inner workings of such threats but also enhances collective resilience against future attacks.

However, our response didn’t stop there. Leveraging an unsecured file upload endpoint uncovered within the malware code—originally intended for server zips used in data exfiltration—we executed a mischievous yet harmless act. Utilizing this endpoint, we proceeded to upload 10,000 instances of a particular image: a naked mole rat. This cheeky gesture served as a playful reminder of the consequences of engaging in malicious activities and a testament to our commitment to combat cyber threats with both vigilance and a touch of humor.

The swift and decisive actions undertaken by our security teams in response to the threat posed by the malicious plugin serve as a testament to our unwavering commitment to safeguarding the digital landscape and protecting our users from harm. While this incident highlights the proactive measures we employ to detect, mitigate, and neutralize cyber threats, it is but one example of the daily activities undertaken by our dedicated security professionals.

In an ever-evolving threat landscape where adversaries continually seek new avenues to exploit vulnerabilities and compromise security, our vigilance remains steadfast. By leveraging advanced detection mechanisms, proactive threat intelligence, and strategic partnerships within the cybersecurity community, we stand poised to defend against emerging threats and uphold the integrity of our platforms.

As we navigate the complexities of cyberspace, our resolve to prioritize user safety and maintain the trust bestowed upon us remains unwavering. Each challenge we encounter serves as an opportunity to enhance our defenses, refine our response capabilities, and fortify our collective resilience against malicious actors.

Together, with a shared commitment to security excellence, we remain steadfast in our mission to create a safer online environment for all.

Stay safe 🙂