A botnet targeting the servers of the popular online game Minecraft can spread onto different platforms, Microsoft security researchers have warned. The botnet, MCCrash, is capable of taking over Linux-based devices despite originating as malware in Microsoft software. MCCrash has been designed to launch distributed denial of service (DDoS) attacks on Minecraft servers.

Minecraft servers targeted by botnet than runs on both Linux and Microsoft. (Photo by PREMIO STOCK/Shutterstock)

The botnet, known by researchers DEV-1028, has specific spreading capabilities that allow it to originate in malicious software downloaded on Windows, to then spread onto Internet of Things (IoT) connected devices running on Linux. This enables its infrastructure to grow rapidly.

How does MCCrash malware infiltrate Linux devices?

The malware is uploaded through illegally downloaded Windows operating system licences, Microsoft believes. Once uploaded, it has the ability to run on both Windows and Linux-based devices.

The botnet is then used to launch DDoS attacks against Minecraft servers, “using known server DDoS commands and unique Minecraft demands,” according to Microsoft. All versions of Minecraft between 1.7.2 and 1.18.2 can be affected by this method of attack.

It spreads to connected Linux devices by trying to access them using default security credentials, which are often left unchanged after the devices are set up. “Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet,” Microsoft says.

Most of those affected appear to be in Russia, with other victims reported in Kazakhstan, Uzbekistan, Ukraine, Belarus Czechia, Italy, India and Indonesia. Microsoft did not disclose the scale of the campaign.

Malware targeting insecure IoT devices running on Linux is on the rise. According to a report from security vendor Trend Micro, there was a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022. 

A Crowdtrike report says there was a 35% increase year-on-year of malware targeting Linux devices, the primary goal of which was to “pull them into a botnet and use them for DDoS attacks.”

“This type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure,” Microsoft’s blog post says.

Read more: Ten-point plan to boost open source security revealed