Check Point Research Identifies Malware Exploiting Godot Engine
/ 3 min read
Quick take - Check Point Research has discovered a new malware technique, named GodLoader, that exploits the Godot Engine to execute malicious GDScript code, affecting over 17,000 machines across multiple platforms while evading detection by antivirus software.
Fast Facts
- Check Point Research has discovered a new malware technique, GodLoader, exploiting the Godot Engine, allowing execution of malicious GDScript code and evading detection by antivirus engines.
- GodLoader has infected over 17,000 machines since its emergence on June 29, 2024, and is distributed through the Stargazers Ghost Network via GitHub.
- The malware affects multiple platforms, including Windows, macOS, Linux, Android, and iOS, potentially impacting over 1.2 million users of Godot-developed games.
- GodLoader employs advanced techniques such as anti-sandbox measures, multi-threading, and encrypted file formats to enhance its effectiveness and evade detection.
- Users are advised to keep systems updated, be cautious with unknown links, and utilize tools like Check Point Threat Emulation and Harmony Endpoint for protection against these threats.
Check Point Research Uncovers New Malware Technique Exploiting Godot Engine
Check Point Research has identified a sophisticated new technique exploiting the Godot Engine, an open-source game development platform. This vulnerability allows the execution of malicious GDScript code, enabling attackers to trigger harmful commands and deliver malware while evading detection by most antivirus engines on VirusTotal. The malware, known as GodLoader, has been operational since June 29, 2024, and has reportedly infected over 17,000 machines.
Distribution and Impact
GodLoader is distributed through the Stargazers Ghost Network, which functions as a malware distribution service via GitHub. In September and October 2024, approximately 200 repositories were employed to enhance the legitimacy of the malware distribution, with over 225 Stargazers accounts used to facilitate its spread. The malware has affected various platforms, including Windows, macOS, Linux, Android, and iOS. Check Point Research has demonstrated the effectiveness of this technique in deploying payloads on Linux and macOS systems, potentially impacting over 1.2 million users of games developed with Godot.
Evasion Techniques and Recommendations
Attackers can leverage legitimate Godot executables to load malicious scripts. The Godot Engine is recognized for its flexibility and user-friendly interface, supporting multiple programming languages such as GDScript, VisualScript, and C#. The GodLoader technique utilizes .pck files to bundle game assets, which might include malicious GDScript that executes upon loading. The execution environment provided by Godot enables the creation of complex gameplay logic, making it attractive for threat actors.
Over time, the GodLoader technique has evolved, transitioning from using embedded files to separate files, with a shift from unencrypted to encrypted formats. Specific campaigns have been noted on certain dates, and the malicious GDScript incorporates anti-sandbox techniques designed to avoid detection and facilitate the downloading and execution of payloads. Additionally, threat actors have leveraged legitimate platforms like Bitbucket to host extensively downloaded malicious files.
To mitigate these threats, users are advised to keep their systems updated, exercise caution with links from unknown sources, and enhance cybersecurity awareness. Check Point Threat Emulation and Harmony Endpoint are recommended for protection against the tactics and malware families outlined in this report.
The Godot community comprises over 2,700 developers and continues to receive approximately $61,500 monthly in donations to support its ongoing development and security efforts.
Original Source: Read the Full Article Here
