| Key Points/Topics | Details |
|---|---|
| Discovery | Check Point Research uncovered a new technique using the Godot Engine to execute malicious GDScript and deliver malware. This technique is undetected by most antivirus engines on VirusTotal. |
| Loader Name | GodLoader – a loader utilizing this technique, active since June 29, 2024. |
| Infection Statistics | Over 17,000 machines infected using this technique. |
| Distribution Method | Distributed by the Stargazers Ghost Network, a GitHub-based malware-as-a-service (MaaS) network. |
| Campaign Details | 200+ repositories and 225+ Stargazers accounts were used to legitimize repositories distributing GodLoader. |
| Cross-Platform Targeting | Targets multiple platforms: Windows, macOS, Linux, Android, and iOS. Demonstrated infections on Linux and macOS. |
| Potential User Risk | Over 1.2 million Godot game users are at risk due to malicious scripts delivered as mods or downloadable content. |
| Godot Engine Overview | Open-source, feature-rich game engine supporting GDScript (Python-like), VisualScript, and C#. Allows cross-platform game development. |
| GodLoader Technique | Uses malicious GDScript within .pck files executed via the Godot Engine. Initially embedded .pck files were used; newer samples use external .pck files with encryption. |
| Proof of Concepts (PoCs) | Linux PoC: Downloads and executes payload using wget. |
MacOS PoC: Similar to Linux, uses wget to download and execute payloads. |
|
| Campaign Timeline | Campaigns executed on: – September 12, 2024 – September 14, 2024 – September 29, 2024 – October 3, 2024 |
| Malicious Repository Strategy | Repositories starred by multiple accounts and frequently updated with GitHub actions to enhance visibility. |
| Anti-Detection Techniques | – Sandbox evasion using 3D Video Acceleration checks. – Anti-VM techniques like verifying GPU names and system storage size. |
| Payload Execution Process | – Adds C:\ drive to Microsoft Defender exclusions. – Downloads and executes payloads hosted on bitbucket.org. |
| Payloads Identified | – XMRig Miner (first discovered June 29, 2024). – RedLine Stealer (updated versions detected on July 6 and August 7, 2024). |
| Malware Hosting | Malicious payloads downloaded from bitbucket.org, indicating abuse of a legitimate platform. |
| Impact of GodLoader | Demonstrates how legitimate game engines can be exploited for malware delivery, posing significant risks to developers and players. |
Read full article: https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/
Disclaimer: The above summary has been generated by an AI language model
Related posts:
New PXA Stealer targets government and education sectors for sensitive information
Scammer Black Friday offers: Online shopping threats and dark web
Five alleged members of Scattered Spider cybercrime group charged for breaches, theft of $11 million
'PopeyeTools' marketplace for stolen credit cards disrupted by feds
Leave a Reply