Patching a Zero Day Exploit

On April 7th, we received reports from multiple users regarding a mod that was allegedly generating malicious code when run. We immediately investigated the mod in question, which contained heavily obfuscated code, and confirmed that it was creating malicious files outside of the Project Zomboid directory.

Further investigation revealed that the same user had uploaded a total of 14 mods, all containing the same exploit. These mods had been installed on between 500 and 2200 devices. The user has since been banned, and all affected mods have been removed from the Steam Workshop.

At this time, the full scope and behavior of the malicious files have not been fully determined. However, because these mods were capable of creating files outside the game directory, we strongly recommend that anyone who downloaded them take appropriate security measures to ensure their system is safe. Simply uninstalling the mods is not sufficient.

Affected Mods

• Risk of Rain 2 OST (True MoooZIC) Workshop ID: 3681934105 - Mod ID: RiskOfRain2Music

• Risk of Rain 1 OST (True MoooZIC) Workshop ID: 3681810963 - Mod ID: RiskOfRain1Music

• NieR: Automata OST (True MoooZIC) Workshop ID: 3681765529 - Mod ID: NierAutomataMusic

• Katana ZERO OST (True MoooZIC) Workshop ID: 3681764942 - Mod ID: KatanaZeroMusic

• Persona 5 OST (True MoooZIC) Workshop ID: 3681756112 - Mod ID: Persona5Music

• Jujutsu Kaisen S1 OST (True MoooZIC) Workshop ID: 3681755051 - Mod ID: JujutsuKaisenMusic

• Hotline Miami 2: Wrong Number OST (True MoooZIC) Workshop ID: 3681719339 - Mod ID: HotlineMiami2Music

• Hotline Miami OST (True MoooZIC) Workshop ID: 3681718339 - Mod ID: HotlineMiami1Music

• Silent Hill OST (True MoooZIC) Workshop ID: 3681477980 - Mod ID: SilentHillMusic

• Cowboy Bebop OST (True MoooZIC) Workshop ID: 3681476976 - Mod ID: CowboyBebopMusic

• Metal Gear Rising: Revengeance Vocal Tracks (True MoooZIC) Workshop ID: 3681339955 - Mod ID: MGRRevengeanceMusic

• Classic Roblox Music (True MoooZIC) Workshop ID: 3681335952 - Mod ID: RobloxClassicMusic

• DELTARUNE Ch3+4 Music (True MoooZIC) Workshop ID: 3681334251 - Mod ID: DeltaruneCh34Music

• Minecraft Alpha+Beta OST (True MoooZIC) Workshop ID: 3680972796 - Mod ID: MinecraftClassicMusic

Additional Information

This exploit only affected Build 42 branches. Build 41 was not vulnerable to this specific issue.

The security updates released for Build 41 today address a separate vulnerability identified during an internal audit. At this time, we have found no evidence that this separate vulnerability has been exploited.

As with previous security fixes, we have updated the outdatedunstable branch to match the unstable branch to avoid leaving a known vulnerability accessible. Going forward, outdatedunstable will continue to lag one content update behind unstable.

Quick Update Notice

We have seen a lot of people misunderstanding this situation. The affected mods above are not the True Moozic mod, nor were they created by the author of the True Moozic mod. The affected mods were simply add-ons for True Moozic. They did not leverage the True Moozic mod as part of the exploit, and they were made without the consent of the True Moozic mod's author.

As mentioned above, the perpetrator has been banned and is no longer able to upload to the Workshop. All of the affected mods have also been removed from the workshop. If you see a mod on the workshop, it was not part of this incident.

As always, discussions regarding this update can be found pinned to the Project Zomboid Discussions Forums here.