A preferred open-source recreation engine referred to as Godot Engine is being misused as a part of a brand new GodLoader malware marketing campaign, infecting over 17,000 programs since not less than June 2024.
“Cybercriminals have been benefiting from Godot Engine to execute crafted GDScript code which triggers malicious instructions and delivers malware,” Examine Level mentioned in a brand new evaluation printed Wednesday. “The method stays undetected by virtually all antivirus engines in VirusTotal.”
It is no shock that menace actors are continually looking out for brand new instruments and methods that may assist them ship malware whereas sidestepping detection by safety controls, whilst defenders proceed to erect new guardrails.
The latest addition is Godot Engine, a recreation improvement platform that enables customers to design 2D and 3D video games throughout platforms, together with Home windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Change, and the online.
The multi-platform assist additionally makes it a beautiful implement within the fingers of adversaries who can now leverage it to focus on and infect gadgets at scale, successfully broadening the assault floor.
What makes the marketing campaign stand out is that it leverages the Stargazers Ghost Community – on this case, a set of about 200 GitHub repositories and greater than 225 bogus accounts – as a distribution vector for GodLoader.
“These accounts have been starring the malicious repositories that distribute GodLoader, making them seem reputable and protected,” Examine Level mentioned. “The repositories have been launched in 4 separate waves, primarily focusing on builders, avid gamers, and normal customers.”
The assaults, noticed on September 12, September 14, September 29, and October 3, 2024, have been discovered to make use of Godot Engine executables, also called pack (or .PCK) recordsdata, to drop the loader malware, which is then liable for downloading and executing final-stage payloads similar to RedLine Stealer and the XMRig cryptocurrency miner from a Bitbucket repository.
As well as, the loader incorporates options to bypass evaluation in sandboxed and digital environments and add the complete C: drive to the Microsoft Defender Antivirus exclusions checklist to stop the detection of malware.
The cybersecurity firm mentioned GodLoader artifacts are primarily geared in direction of focusing on Home windows machines, though it famous that it is trivial to adapt them to contaminate macOS and Linux programs.
What’s extra, whereas the present set of assaults entails the menace actors constructing customized Godot Engine executables for malware propagation, it could possibly be taken a notch increased by tampering with a reputable Godot-built recreation after acquiring the symmetric encryption key used to extract the .PCK file.
This kind of assault, nonetheless, could be averted by switching to an asymmetric-key algorithm (aka public-key cryptography) that depends on a private and non-private key pair to encrypt/decrypt knowledge.
The malicious marketing campaign serves up one other reminder of how menace actors regularly leverage reputable providers and types to evade safety mechanisms, necessitating that customers obtain software program solely from trusted sources.
“Menace actors have utilized Godot’s scripting capabilities to create customized loaders that stay undetected by many typical safety options,” Examine Level mentioned. “Since Godot’s structure permits platform-agnostic payload supply, attackers can simply deploy malicious code throughout Home windows, Linux, and macOS, typically even exploring Android choices.”
“Combining a extremely focused distribution methodology and a discreet, undetected method has resulted in exceptionally excessive an infection charges. This cross-platform method enhances malware versatility, giving menace actors a robust device that may simply goal a number of working programs. This methodology permits attackers to ship malware extra successfully throughout varied gadgets, maximizing their attain and influence.”
