Microsoft alerts to new Minecraft DDoS Malware infecting Windows and Linux

A cross-platform new malware botnet, dubbed ‘MCCrash,’ infects Windows, Linux and IoT devices in order to carry out distributed denial of services attacks against Minecraft servers.

Microsoft Threat Intelligence Team discovered the botnet and reported that it could infect other devices. It can also spread to other networks by using brute-forcing SSH credentials.

Microsoft’s new report explains that “our analysis of DDoS botnet showed functionalities designed specifically to target private Minecraft Java server using crafted packets. Most likely, as a service sale on forums or darknet websites.”

Most of the MCCrash-infected devices are currently located in Russia. However, there are victims also in Mexico, India, Kazakhstan and Singapore.

MCCrash victims heatmap


DDoS attacks on Minecraft servers can often be used to server users or in an attempt to extort.

mitigated a 2.5TBBS DDoS attack on Wynncraft in October 2022. This was the biggest ever recorded.

Pirated software is a good start

Microsoft claims that MCCrash is first introduced to devices by users installing fake Windows activator tools or trojanized Microsoft Office licence activators (KMS)

Cracking tools include malicious PowerShell codes that can download a file called’svchosts.exe’, which launches the main botnet payload’

Attack methods in script

Source: BleepingComputer

MCCrash attempts then to spread to all devices in the network through brute-force SSH attack on IoT or Linux devices.

The botnet is spread by collecting default credentials from internet-exposed Secure Shell(SSH) enabled devices.

These devices may be vulnerable to botnet attacks because they are often enabled for remote configuration using potentially unsecure settings.

Because the botnet is a spreading threat that can only be eliminated from infected sources PCs, the malware could remain on networked IoT devices and operate in the same way as the botnet. – Microsoft.

Both Windows and Linux can be used to execute the malicious Python file. It launches the malicious Python file and establishes TCP communication channels with C2 via port 4676.

On Windows, MCCrash establishes persistence by adding a Registry value to the “SoftwareMicrosoftWindowsCurrentVersionRun” key, with the executable as its value.

The botnet’s infection and attack chain


Attacking Minecraft servers

Based on the OS type of the initial communication, the botnet receives encrypted commands at the C2 server.

To execute the command, the C2 will send the following commands to the MCCrash infected device:

Commands the C2 sends to MCCrash


The majority of these commands are focused on DDoS attacks against Minecraft servers. Among them, ‘ATTACK_MCCRASH’ is the most prominent because it uses a unique method to crash the target server.

Microsoft claims that the botnet was created by threat actors to attack Minecraft Server Version 1.12.2. However, all versions of Minecraft Server starting at 1.7.2 up to 1.18.2 can be vulnerable.

Minecraft server version market share


MINE], and ATTACK_MCDATA commands.

However, many Minecraft servers still use older versions of Minecraft, with most being located in France, Germany and the United States.

Vulnerable Minecraft server distribution


“This threat’s unique capability to use IoT devices which are not often monitored as part the botnet significantly increases its impact and decreases its chances being detected,” .

Protect your IoT devices against botnets by keeping their firmware current, changing default credentials to a long, strong password and disabling SSH connections when not required.